Hello Andrzej,
In ZooKeeper, the authentication is not enforced by default, meaning that
even if you fail to authenticate (or don't even provide any credentials)
you can still connect to ZooKeeper, but your session won't have any user
attached to it. So you will be able to see/modify only the ZNodes that are
granting permission to the "world" user. There are several server side
options to change this behaviour. I think you are looking for the
"enforce.auth.enabled=true" option, see here:
https://zookeeper.apache.org/doc/r3.7.0/zookeeperAdmin.html#sc_authOptions
(I remember there is some other option, which will disable the "fallback to
world user" behaviour (so terminating the session if you connect with wrong
credentials, but still let you connect without providing any credentials).
I remember seeing this in the code, but don't see it in the documentation.
If you would need this one, I can dig deeper.
Kind regards,
Máté
On Tue, Dec 14, 2021 at 2:20 PM Andrzej Trzeciak <
andrzej.trzec...@exelaonline.com> wrote:
> Hi,
>
> I’m having trouble implementing the simplest zookeeper (v 3.7.0)
> authentication using just username and password and the ‘digest’ mechanism.
>
> I tried various config properties, but none of them worked.
>
> The problem is, that when I connect giving the wrong credentials I am
> still being successfully authenticated instead of being rejected.
>
> My setup below (including oprions I have tried, but didn’t work, so I
> commented them:
>
> *Zoo.cfg:*
>
>
> #SASL----------------------------------------------------------------------------
>
>
>
>
> #authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
>
> #authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
>
> #requireClientAuthScheme=sasl
>
> #sessionRequireClientSASLAuth=true
>
> #set.acl=true
>
> DigestAuthenticationProvider.enabled=true
>
> enforce.auth.enabled=true
>
> enforce.auth.schemes=digest
>
> #SASL
> END--------------------------------------------------------------------------
>
>
>
> *Jaas_config:*
>
> Server {
>
> org.apache.zookeeper.server.auth.DigestLoginModule required
>
> user_super="adminsecret"
>
> user_bob="bobsecret";
>
> };
>
> *Client code:*
>
> CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder()
>
> .connectString(connectUris(zookeeper, "zookeeper:2181"))
>
> .connectionStateErrorPolicy(connectionStateErrorPolicy)
>
> .retryPolicy(retryPolicy)
>
> .aclProvider(aclProvider)
>
> .connectionTimeoutMs(10000)
>
> .sessionTimeoutMs(sessionTimeout);
>
> if(zookeeperAuthEnabled){
>
> builder.authorization("digest",
> "kuku:adminsecret4".getBytes());
>
> }
>
> curatorClient = builder.build();
>
> curatorClient.getConnectionStateListenable().addListener((c, s) ->
> {
>
> connectionState = s;
>
> log.info(MessageFormat.format("CuratorState
> [State={0},Connected={1}]", s.name(), s.isConnected()));
>
> });
>
> curatorClient.start();
>
> try {
>
> curatorClient.blockUntilConnected();
>
> leaderLatch = initLeadership();
>
> } catch (InterruptedException e) {
>
> log.info(e);
>
> }
>
>
>
> As a result, when the application starts I a successful authentication and
> a message in zookeeper console:
>
> 2021-12-14 14:08:45,854 [myid:] - INFO
> [NIOWorkerThread-13:ZooKeeperServer@1623] - got auth packet /
> 192.168.43.169:49753
>
> 2021-12-14 14:08:45,854 [myid:] - INFO
> [NIOWorkerThread-13:ZooKeeperServer@1642] - Session 0x1004d2f28d00001:
> auth success for scheme digest and address /192.168.43.169:49753
>
>
>
>
>
> *Andrzej Trzeciak*
> Senior System Engineer
> [image: Exela Technologies]
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.exelatech.com&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=ZtZoxYybCmOC8pf0yeoK229hRtlZVj15I1uUn8zMCe8&e=>
>
> Grudziądzka 46-48 • 87-100 Toruń • Poland
>
> Tel. +48 573 251 507
> exelatech.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.exelatech.com&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=ZtZoxYybCmOC8pf0yeoK229hRtlZVj15I1uUn8zMCe8&e=>
> • About EXELA
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.exelatech.com_about-2Dus&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=2TsjiQIkpmtM3JqrI3DlrrcVDtrKmEIWVY5kqx67Foc&e=>
> • Instagram
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_exelatechnologies&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=7GytPlw8jAryTL_JwfZEk8_Bt6Hpe1ZWEVzZTrg2MGw&e=>
> • LinkedIn
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_exela-2Dtechnologies&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=vgnCkdlePgn9sFFxSElE3Mfig4_T_crRXr0TfTU6cDM&e=>
>
>
> ------------------------------
> Please consider the environment before printing or forwarding this email.
> If you do print this email, please recycle the paper.
>
> This email message may contain confidential, proprietary and/or privileged
> information. It is intended only for the use of the intended recipient(s).
> If you have received it in error, please immediately advise the sender by
> reply email and then delete this email message. Any disclosure, copying,
> distribution or use of the information contained in this email message to
> or by anyone other than the intended recipient is strictly prohibited. Any
> views expressed in this message are those of the individual sender, except
> where the sender specifically states them to be the views of Exela
> Technologies, Inc. or its subsidiaries.
>
> This email does not constitute an agreement to conduct transactions by
> electronic means and does not create any legally binding contract or
> enforceable obligation against Exela in the absence of a fully signed
> written agreement.
>
