Il lun 30 dic 2019, 14:55 shrikant kalani <shrikantkal...@gmail.com> ha
scritto:
> Enrico,
>
> Is 3.6 going to be available soon ? Within 1 month ?
>
I can't make promises.
It is up to the community.
I can say we are actively preparing the release.
You will see, hopefully next week, a VOTE email thread on
d...@zookeeper.apache.org mailing list.
If you try it and report that it is working for you, this will be a good
contribution to the community
Cheers
Enrico
>
> Thanks
> Srikant Kalani
>
> Sent from my iPhone
>
> > On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolive...@gmail.com> wrote:
> >
> > If you try to use wrong credentials, corrupted keytab...you won't be
> able
> > to read/write.
> > Connection maybe is allowed
> >
> > Enrico
> >
> > Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arp...@gmail.com> ha scritto:
> >
> >> Just to confirm the settings I have in my environment:
> >>
> >> 1. On ZK side, my JAAS file looks like this:
> >> Server {
> >> com.sun.security.auth.module.Krb5LoginModule required
> >> useKeyTab=true
> >> keyTab="/conf/zoo1.keytab"
> >> storeKey=true
> >> useTicketCache=false
> >> principal="zookeeper/z...@example.com";
> >> };
> >> The principal "*zookeeper/z...@example.com <z...@example.com>"* has
> been
> >> created in Kerberos server running locally. I am able to start ZK with
> this
> >> principal and I can see ticket exchange between ZK and Kerberos for this
> >> principal.
> >>
> >> 2. On client (Curator) side, JAAS file looks like below. Principal
> >> "*zkcli...@example.com
> >> <zkcli...@example.com>"* is present in Kerberos server. The curator is
> >> able
> >> to connect properly to ZK (with or without principal) even though SASL
> is
> >> enabled. May be I should use ZK 3.6 as you pointed out to enforce
> >> authentication.
> >> Client {
> >> com.sun.security.auth.module.Krb5LoginModule required
> >> useKeyTab=true
> >> keyTab="/tmp/zkclient.keytab"
> >> storeKey=true
> >> useTicketCache=false
> >> principal="zkcli...@example.com";
> >> };
> >>
> >> Just want to make sure my settings are correct.
> >>
> >> Thanks
> >>
> >>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eolive...@gmail.com>
> >>> wrote:
> >>>
> >>> Arpit,
> >>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
> >>>
> >>> I hope we are able to release 3.6.0 within a couple of weeks.
> >>>
> >>> If you have time you can build from branch-3.6 and run the server
> >> enabling
> >>> that feature tha you are pointing to.
> >>> It is a server side change only so you can use 3.5 in your application
> >>>
> >>>
> >>> Enrico
> >>>
> >>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com>
> ha
> >>> scritto:
> >>>
> >>>> Couple of things which you can check -
> >>>> 1) if your Zookeeper server is not running with Zookeeper I’d then you
> >>>> need to set Zookeeper.sasl.client.username
> >>>> 2) set java.security.auth.login.config
> >>>>
> >>>> And I also faced the same issue that there is no strict enforcement to
> >>>> allow only authenticated client. Unless someone is aware of the way I
> >>> doubt
> >>>> we may need to wait for 3.6
> >>>>
> >>>> Thanks
> >>>> Srikant
> >>>>
> >>>> Sent from my iPhone
> >>>>
> >>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com>
> >> wrote:
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using
> >>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I
> >> don't
> >>>> see
> >>>>> any authentication happening between Zookeeper client (curator) and
> >> ZK
> >>>>> server. I have put the following setting in zoo.cfg and followed this
> >>>> guide
> >>>>>
> >>>>
> >>>
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> >>>>> .
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> >>>>> requireClientAuthScheme=sasl
> >>>>>
> >>>>> What additional setting I need to provide so that only authenticated
> >>>>> clients (for which principals are present in Kerberos server) can
> >>> connect
> >>>>> to ZK server ?
> >>>>> I also found this link
> >>>>> https://github.com/apache/zookeeper/pull/118/commits which
> >>>>> mentions that it will be strict only from ZK 3.6 onwards and
> >> currently
> >>> ZK
> >>>>> does not enforce it even if we have the configuration.
> >>>>>
> >>>>> Thanks
> >>>>
> >>>
> >>
>
