zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominique Gagnon <dominique.gag...@dti.ulaval.ca>
Subject zookeeper.allowSaslFailedClients property
Date Thu, 01 Feb 2018 19:08:53 GMT
Hi,

I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup arguments of my three
zookeepers servers (version 3.4.10 from Confluent 4.0 bundle) as I want them to drop connections
if Kerberos authentication fails. Yet, it seems that it just doesn't work. If I just don't
put any "Client" section in our Kafka brokers JAAS file, The brokers logs show that the authentication
fails but the connection to zookeepers doesn't end.

Also, if I try the kafka-acls command without a JAAS file, it also work even if it shouldn't:

[root@server ~]# kafka-acls --authorizer-properties zookeeper.connect=zookeeper-server:2181
--add --allow-principal User:CLIENT --consumer --topic test1 --group test
[2018-02-01 10:25:41,730] WARN SASL configuration failed: javax.security.auth.login.LoginException:
No JAAS configuration section named 'Client' was found in specified JAAS configuration file:
'/root/jaas.conf'. Will continue connection to Zookeeper server without SASL authentication,
if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
Adding ACLs for resource `Topic:test1`:
        User:CLIENT has Allow permission for operations: Read from hosts: *
        User:CLIENT has Allow permission for operations: Describe from hosts: *

Adding ACLs for resource `Group:test`:
        User:CLIENT has Allow permission for operations: Read from hosts: *
...

I've read that this property only applies to Java clients but Kafka brokers and kafka-acls
command are Java clients..!

Thanks,

Dominique Gagnon

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message