curator-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Zimmerman <jor...@jordanzimmerman.com>
Subject Re: multiple curator frameworks mixed authentication modes
Date Wed, 16 Dec 2015 20:35:36 GMT
That stuff happens inside of ZooKeeper.java itself right? If so there’s nothing Curator can
do about it. Maybe ask on the ZK list?

> On Dec 16, 2015, at 3:00 PM, Dave Ariens <dariens@blackberry.com> wrote:
> 
> Sorry, don't follow.  Let me try and re-phrase:
> 
> If I launch a JVM with -Djava.security.auth.login.config=jaas.conf
> 
> and that jaas.conf contains:
> 
> Client {
>   com.sun.security.auth.module.Krb5LoginModule required
>   useKeyTab=true
>   keyTab="dariens.keytab"
>   storeKey=true
>   useTicketCache=false
>   serviceName="zookeeper"
>   debug=true
>   principal="dariens@MY.EXAMPLE <mailto:dariens@my.example>";
> };
> 
> When my application starts I instantiate a CuratorFramework object connection to a ZK
cluster that authenticates new connections via SASLAuthenticationProvider and of course this
works as expected.  
> 
> I now need to instantiate another new CuratorFramework object to another ZK cluster that
does not perform SASL authentication and any attempt to get/set data results in the errors
below.
> 
> Is there a configuration that I can apply when instantiating CuratorFrameworks that will
not automatically use SaslAuthentication when a JAAS login context is present?
> 
> [2015-12-16 19:47:15,427] ERROR An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Fail to create credential. (63) - No service creds)]) occurred when evaluating Zookeeper Quorum
Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient)
> [2015-12-16 19:47:15,427] ERROR SASL authentication with Zookeeper Quorum member failed:
javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Fail to create credential. (63) - No service creds)]) occurred when evaluating Zookeeper Quorum
Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn)
> [2015-12-16 19:47:15,427] ERROR Authentication failed (org.apache.curator.ConnectionState)
> 
> 
> 
> 
> 
> From: Jordan Zimmerman [jordan@jordanzimmerman.com]
> Sent: Wednesday, December 16, 2015 2:39 PM
> To: user@curator.apache.org
> Subject: Re: multiple curator frameworks mixed authentication modes
> 
> Check your code. There are no static/global values in Curator.
> 
> -JZ
> 
>> On Dec 16, 2015, at 2:29 PM, Dave Ariens <dariens@blackberry.com <mailto:dariens@blackberry.com>>
wrote:
>> 
>> My Java application needs to talk to two ZK clusters.
>> 
>> Cluster one is configured with `authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
SASLAuthenticationProvider` and cluster two is not.
>> 
>> At first glance it would appear that this isn't possible as all curator frameworks
instantiated in my JVM are attempting to perform SASL authentication when the JVM is launched
with the JAAS configuration containing 'Client' configuration.
>> 
>> Any chance I'm missing something or is this a known restriction?


Mime
View raw message