It worked. Now, I'm going to try the SSL configuration.
Thank you! On Thu, Nov 26, 2020 at 3:21 AM Damien Diederen <[email protected]> wrote: > > Hi Guilherme, > > > I am not using ZK with Kafka yet. I use ZK to store lots of information > and > > they are getting more important and critical to our applications, so > having > > authentication working properly is becoming a requirement. > > Sure. > > > Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in > > the process running, the argument is being passed correctly, but > zookeeper > > is still allowing anonymous connections. > > Configuring JAAS is one half of the puzzle. The half you seem to be > missing is 'sessionRequireClientSASLAuth', as provided and documented in > versions 3.6+: > > https://zookeeper.apache.org/doc/r3.6.2/zookeeperAdmin.html > > >> zookeeper.sessionRequireClientSASLAuth : (Java system property only: > >> zookeeper.sessionRequireClientSASLAuth) New in 3.6.0: When set to > >> true, ZooKeeper server will only accept connections and requests from > >> clients that have authenticated with server via SASL. […] > > > ( I dont think *requireClientAuthScheme=sasl* is being considered) > > Indeed. I see lots of reference to 'requireClientAuthScheme' on the > Internet, but that is not a recognized property! > > HTH, -D > > > > --- Original message follows --- > > Guilherme Ramos <[email protected]> writes: > > Hi again! > > > > I am not using ZK with Kafka yet. I use ZK to store lots of information > and > > they are getting more important and critical to our applications, so > having > > authentication working properly is becoming a requirement. > > > > So, as Enrico Olivelli asked in the other email, here it is: > > > > *docker-compose:* > > zk: > > image: zookeeper > > restart: always > > container_name: zk > > networks: > > net: > > ipv4_address: 172.30.0.100 > > ports: > > - 3181:2181 > > - 2180:8080 > > environment: > > - ZOO_AUTOPURGE_PURGEINTERVAL:12 > > #- ZOO_CLIENT_USER:user_super > > #- ZOO_CLIENT_PASSWORD:secret > > #- ZOO_ENABLE_AUTH:yes > > - JVMFLAGS=-Djava.security.auth.login.config=/conf/zoo_jaas.conf > > volumes: > > - /var/data/services/zk/data:/data > > - /var/data/services/zk/datalog:/datalog > > - /var/data/services/zk/conf:/conf > > - /var/data/services/zk/logs:/logs > > > > First, I tried to use those commented out environment variables(in red). > No > > success. > > Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in > > the process running, the argument is being passed correctly, but > zookeeper > > is still allowing anonymous connections. > > > > > > */conf/zoo.cfg* > > clientPort=2181 > > dataDir=/data > > dataLogDir=/datalog > > tickTime=2000 > > initLimit=5 > > syncLimit=2 > > autopurge.snapRetainCount=3 > > autopurge.purgeInterval=0 > > maxClientCnxns=60 > > standaloneEnabled=true > > admin.enableServer=false > > server.1=localhost:2888:3888;2181 > > > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > > *requireClientAuthScheme=sasl * > > > > ( I dont think *requireClientAuthScheme=sasl* is being considered) > > > > *zoo_jaas.conf* > > Client { > > org.apache.zookeeper.server.auth.DigestLoginModule required > > username="client" > > password="client_password"; > > }; > > Server { > > org.apache.zookeeper.server.auth.DigestLoginModule required > > user_kafka="kafka_password"; > > }; > > > > > > In the past, our company would only allow JBOSS deployments. So I was > > embedding zookeeper as a web app, starting the QuorumPeerMain class > > manually and that worked perfectly. > > It was version 3.4.0, if I am not wrong. > > > > This time I dont want to extend docker images, I would like to use your > > original one, making use of proper configuration. > > > > Please, please, please help me. > > > > Thank you in advance, > > Guiherme >
