Hello Sebastian, In general I think you did configure ZooKeeper just fine. A few remarks: - I am not sure how ZooKeeper server-server authentication is expected to work when you only use a single server. Would you mind trying to start a Quorum with e.g. 3 servers? - also, I think it is a good idea to avoid using 0.0.0.0 as hostname, especially if you would run the cluster on multiple different servers / docker containers. Try using the fully qualified domain name for a multi-server setup, or if you just test multiple ZooKeeper servers on the same machine, then just use 127.0.0.1. (maybe it has no effect in the current case, but for SSL or for dynamic reconfig it might be bad to use 0.0.0.0. Also I remember problems with rolling restarts when using 0.0.0.0 in the config) - is there a reason why you set 'quorum.auth.learnerRequireSasl' and 'quorum.auth.serverRequireSasl' to false? Using false is usually good idea during rolling upgrade, but if you start a new cluster and want to use server-server authentication, then you can just set them to true.
I don't understand why you got the exception " No JAAS configuration section named 'Server' was found" ... Setting the loginContext should have fixed that. If you still see the same issue with the 3 server setup, then can you please share the config files, the command how you start ZooKeeper and also the log files with us, so that we can look deeper? Kind regards, Mate On Tue, Feb 11, 2020 at 2:56 AM Sebastian Schmitz < [email protected]> wrote: > Hello, > > I'm currently looking into enabling the Auth between Zookeeper-Servers > and found this documentation: > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication > > However, when I use the config from the document (for Digest-MD5) I get > this exception in Zookeeper 3.4.14 and also 3.5.6, which I tried because > I thought using latest version could help: > java.io.IOException: No JAAS configuration section named 'Server' was > found in '/opt/zookeeper-cluster/zookeeper/conf/jaas.conf > > And of course that's right, because there's only QuorumServer and > QuorumClient in the jaas.conf: > > jaas.conf: > QuorumServer { > org.apache.zookeeper.server.auth.DigestLoginModule required > user_zookeeper="test"; > }; > > QuorumClient { > org.apache.zookeeper.server.auth.DigestLoginModule required > username="zookeeper" > password="test"; > }; > > I also tried renaming the QuorumServer to just "Server". No change. > > My zoo.cfg: > tickTime=2000 > initLimit=10 > syncLimit=5 > dataDir=/mnt/zk_data > clientPort=2181 > dataLogDir=/mnt/zk_data_log > autopurge.snapRetainCount=3 > autopurge.purgeInterval=24 > quorum.auth.enableSasl=true > quorum.auth.learnerRequireSasl=false > quorum.auth.serverRequireSasl=false > quorum.auth.learner.loginContext=QuorumLearner > quorum.auth.server.loginContext=QuorumServer > quorum.cnxn.threads.size=20 > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > secureClientPort=2281 > server.1=0.0.0.0:2888:3888 > > Any idea what I could try? Or maybe there's some better document on how > to achieve this? > > Thank you > > Sebastian > > > -- > DISCLAIMER > This email contains information that is confidential and which > may be > legally privileged. If you have received this email in error please > > notify the sender immediately and delete the email. > This email is intended > solely for the use of the intended recipient and you may not use or > disclose this email in any way. >
