zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kashtan <djkash...@gmail.com>
Subject Re: Zookeeper server with SASL allows any old zkCli instance to connect
Date Wed, 26 Aug 2015 15:23:57 GMT
also, just to be clear, my zoo.cfg does have "requireClientAuthScheme=sasl"
in it, but non-authenticated clients are still able to create, delete,
read, and update znodes...

On Wed, Aug 26, 2015 at 10:58 AM, Daniel Kashtan <djkashtan@gmail.com>
wrote:

> As an update, I found out that this issue is not confined to just
> zkCli.sh. If I launch my java applications that create zookeeper clients
> without the JVM argument
> "-Djava.security.auth.login.config=<my-client-jaas.conf>", then my client
> can log in to my zookeeper server. Why is it that my zookeeper client is
> rejected if I have the wrong password in my client jaas.conf file, but if I
> fail to specify my client as using any security, it just connects to the
> server? Surely I am missing something on my server side to block these
> client connections right?
>
> On Tue, Aug 25, 2015 at 5:37 PM, Daniel Kashtan <djkashtan@gmail.com>
> wrote:
>
>> I am using SASL with Digest-MD5 and I have the flag
>> "-Dzookeeper.allowSaslFailedClients=false" set so that your connection is
>> dropped from the Zookeeper Server if your SASL authentication fails. This
>> is great! This only works for the Zookeeper clients created in java code
>> though.
>>
>> If I do a zkCli.sh -server 127.0.0.1:2181 then I can connect to my
>> Zookeeper server with no issues. This is unexpected behavior to me. It even
>> says in the output from zkCli.sh, "Will not attempt to authenticate using
>> SASL." How does this still work? I configured the Zookeeper server to drop
>> those connection attempts.
>>
>> After much searching I turned up this link
>> <https://groups.google.com/a/cloudera.org/forum/#!topic/cdh-user/Hxqv7b2957w>,
>> but it is just some forum post for CDH. Is this true? The thought of
>> setting ACLs on all my znodes is daunting and verbose. Please let me know
>> if setting ACL nodes using SASL is my best and/or only option for securing
>> zkCli.sh and my Zookeeper server in general.
>> --
>> -Daniel
>>
>
>
>
> --
> -Daniel
>



-- 
-Daniel

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message