curator-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Zimmerman <jor...@jordanzimmerman.com>
Subject Re: multiple curator frameworks mixed authentication modes
Date Wed, 16 Dec 2015 21:18:38 GMT
Oh - that’s true. I didn’t think of that. Maybe we need a new feature here.

> On Dec 16, 2015, at 4:15 PM, Cameron McKenzie <mckenzie.cam@gmail.com> wrote:
> 
> Would that cause problems on an attempt to reconnect (doesn't Curator recreate the ZK
client under some circumstances?)?
> 
> On Thu, Dec 17, 2015 at 7:37 AM, Jordan Zimmerman <jordan@jordanzimmerman.com <mailto:jordan@jordanzimmerman.com>>
wrote:
> I just check in the ZK code. It does:
> 
> 	System.getProperty(Environment.JAAS_CONF_KEY)
> 
> So, just manual set/clear this property before creating the Curator instance.
> 
> -JZ
> 
>> On Dec 16, 2015, at 3:00 PM, Dave Ariens <dariens@blackberry.com <mailto:dariens@blackberry.com>>
wrote:
>> 
>> Sorry, don't follow.  Let me try and re-phrase:
>> 
>> If I launch a JVM with -Djava.security.auth.login.config=jaas.conf
>> 
>> and that jaas.conf contains:
>> 
>> Client {
>>   com.sun.security.auth.module.Krb5LoginModule required
>>   useKeyTab=true
>>   keyTab="dariens.keytab"
>>   storeKey=true
>>   useTicketCache=false
>>   serviceName="zookeeper"
>>   debug=true
>>   principal="dariens@MY.EXAMPLE <mailto:dariens@my.example>";
>> };
>> 
>> When my application starts I instantiate a CuratorFramework object connection to
a ZK cluster that authenticates new connections via SASLAuthenticationProvider and of course
this works as expected.  
>> 
>> I now need to instantiate another new CuratorFramework object to another ZK cluster
that does not perform SASL authentication and any attempt to get/set data results in the errors
below.
>> 
>> Is there a configuration that I can apply when instantiating CuratorFrameworks that
will not automatically use SaslAuthentication when a JAAS login context is present?
>> 
>> [2015-12-16 19:47:15,427] ERROR An error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Fail to create credential. (63) - No service creds)]) occurred
when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to
AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient)
>> [2015-12-16 19:47:15,427] ERROR SASL authentication with Zookeeper Quorum member
failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Fail to create credential. (63) - No service creds)]) occurred
when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to
AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn)
>> [2015-12-16 19:47:15,427] ERROR Authentication failed (org.apache.curator.ConnectionState)
>> 
>> 
>> 
>> 
>> 
>> From: Jordan Zimmerman [jordan@jordanzimmerman.com <mailto:jordan@jordanzimmerman.com>]
>> Sent: Wednesday, December 16, 2015 2:39 PM
>> To: user@curator.apache.org <mailto:user@curator.apache.org>
>> Subject: Re: multiple curator frameworks mixed authentication modes
>> 
>> Check your code. There are no static/global values in Curator.
>> 
>> -JZ
>> 
>>> On Dec 16, 2015, at 2:29 PM, Dave Ariens <dariens@blackberry.com <mailto:dariens@blackberry.com>>
wrote:
>>> 
>>> My Java application needs to talk to two ZK clusters.
>>> 
>>> Cluster one is configured with `authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
SASLAuthenticationProvider` and cluster two is not.
>>> 
>>> At first glance it would appear that this isn't possible as all curator frameworks
instantiated in my JVM are attempting to perform SASL authentication when the JVM is launched
with the JAAS configuration containing 'Client' configuration.
>>> 
>>> Any chance I'm missing something or is this a known restriction?
> 
> 


Mime
View raw message