Just one note: I think the kerberos authentication is still "plain text". If you need wire encryption, then you also need to enable SSL. (you can do that in a dual mode too, so you can run a ZooKeeper server with both plain-text and SSL ports open. Or even you can use the same port for both plain-text and SSL communication, see config parameter "zookeeper.client.portUnification")
On Thu, Jul 8, 2021 at 6:24 PM Szalay-Bekő Máté <szalay.beko.m...@gmail.com> wrote: > Hello Dene, > > Currently if you enable Kerberos authentication, then the clients are > still able to connect to ZooKeeper without any authentication. Of course > they won't be able to access / change any ZNodes protected by ACLs, but > they can join and will be authenticated automatically as "word:anyone" and > will be able to read / modify any ZNode where you haven't configured any > ACL. > > You can enforce authentication (maybe using this zoo.cfg property? > zookeeper.sessionRequireClientSASLAuth > see here: > https://zookeeper.apache.org/doc/current/zookeeperAdmin.html#ch_administration > ) but AFAIK this feature is disabled by default. So you should be good to > make this transition iteratively. But it worths testing :) > > Kind regards, > Mate > > On Thu, Jul 8, 2021 at 5:07 PM Hamado Dene <hamadod...@yahoo.com.invalid> > wrote: > >> Hi Everyone, >> We will need to switch our existing system using zookeeper (without sasl >> auth) to kerberos authentication.Since our system is quite large, is it >> possible to configure zookeeper to accept both plaintext connections and >> connections with kerberos authentication? >> If this is possible, it would allow us to program a plan to restart our >> application, without causing major disservices to customers. >> Thanks for your help, >> >> Hamado Dene > >
