curator-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Ariens <dari...@blackberry.com>
Subject RE: multiple curator frameworks mixed authentication modes
Date Wed, 16 Dec 2015 20:00:33 GMT
Sorry, don't follow.  Let me try and re-phrase:

If I launch a JVM with -Djava.security.auth.login.config=jaas.conf

and that jaas.conf contains:

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="dariens.keytab"
  storeKey=true
  useTicketCache=false
  serviceName="zookeeper"
  debug=true
  principal="dariens@MY.EXAMPLE";
};

When my application starts I instantiate a CuratorFramework object connection to a ZK cluster
that authenticates new connections via SASLAuthenticationProvider and of course this works
as expected.

I now need to instantiate another new CuratorFramework object to another ZK cluster that does
not perform SASL authentication and any attempt to get/set data results in the errors below.

Is there a configuration that I can apply when instantiating CuratorFrameworks that will not
automatically use SaslAuthentication when a JAAS login context is present?

[2015-12-16 19:47:15,427] ERROR An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Fail to create credential. (63) - No service creds)]) occurred when evaluating Zookeeper Quorum
Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2015-12-16 19:47:15,427] ERROR SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException:
An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS
initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail
to create credential. (63) - No service creds)]) occurred when evaluating Zookeeper Quorum
Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn)
[2015-12-16 19:47:15,427] ERROR Authentication failed (org.apache.curator.ConnectionState)





________________________________
From: Jordan Zimmerman [jordan@jordanzimmerman.com]
Sent: Wednesday, December 16, 2015 2:39 PM
To: user@curator.apache.org
Subject: Re: multiple curator frameworks mixed authentication modes

Check your code. There are no static/global values in Curator.

-JZ

On Dec 16, 2015, at 2:29 PM, Dave Ariens <dariens@blackberry.com<mailto:dariens@blackberry.com>>
wrote:

My Java application needs to talk to two ZK clusters.

Cluster one is configured with `authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
SASLAuthenticationProvider` and cluster two is not.

At first glance it would appear that this isn't possible as all curator frameworks instantiated
in my JVM are attempting to perform SASL authentication when the JVM is launched with the
JAAS configuration containing 'Client' configuration.

Any chance I'm missing something or is this a known restriction?


Mime
View raw message