Chad, I was looking into something related to this recently and I think your description is accurate. Unfortunately ZooKeeper client relies heavily on system properties which isn't great for talking to a bunch of different systems like NiFi.
One thing I would be curious about, what value do you have in nifi.properties for nifi.zookeeper.auth.type= ? If it is not set, or is set to default, then the Z-Nodes created by NiFi would not be created with SASL and would have an ACL open to everyone, so then setting zookeeper.sasl.client=false probably doesn't impact anything with your NiFi cluster. If nifi.zookeeper.auth.type=sasl then I wonder if you set zookeeper.sasl.client=false, would your NiFi cluster fail to read its own Z-Nodes on next restart? I've been wanting to try this for a while, but haven't had time. -Bryan On Fri, Aug 2, 2019 at 3:09 PM Chad Woodhead <[email protected]> wrote: > > I’m building a flow that uses ExecuteSQL to query data from Phoenix on top of > a Kerberized Ambari Metrics’ HBase (it hits the AMS Zookeeper). I ran into > issues and the logs showed NiFi (also kerberized) was getting auth failed > when connecting to ZNode. > > To confirm I had all my proper AMS conf files and phoenix jars, I tried > tweaking the DBCP and customizing the phoenix-client.jar for this specific > Hbase (using many links online of people doing this same thing), but > unfortunately didn’t resolve the Znode error. > > I realized that by default AMS does not create the Znode on Zookeeper secure > with SASL, and by default NiFi has zookeeper.sasl.client=true causing NiFi to > use SASL for zookeeper client connections. So I tested setting > ‘java.arg.X=-Dzookeeper.sasl.client=false’ in my bootstrap.conf file and > finally NiFi was able to successfully connect and query the data. > > I don’t have much experience with SASL and Znodes, so I wanted to know if > there are any issues I can run into by setting it to false? Or even just > going against security recommendations? > > Am I understanding it correctly that if zookeeper.sasl.client=true then NiFi > can ONLY connect to Znodes that use SASL, and if zookeeper.sasl.client=false > then NiFi can ONLY connect to Znodes that do not use SASL? > > Any help would be appreciated! > > Thanks, > Chad
