zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@cloudera.com>
Subject Re: zookeeper.allowSaslFailedClients property
Date Fri, 02 Feb 2018 13:10:37 GMT
Hi Dominique,

Would you please check your ZooKeeper logs, because whenever Zk closes a
client connection due to SASL authentication failure, it adds the following
message to the logs:

LOG.warn("Closing client connection due to SASL authentication failure.");

On the other hand, if the connection is accepted even if SASL auth failed,
you should see the following message:

LOG.warn("Maintaining client connection despite SASL authentication
failure.");

If neither of these messages can be seen in ZK logs, that you're probably
facing to another problem.

Regards,
Andor



On Thu, Feb 1, 2018 at 8:08 PM, Dominique Gagnon <
dominique.gagnon@dti.ulaval.ca> wrote:

> Hi,
>
> I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup
> arguments of my three zookeepers servers (version 3.4.10 from Confluent 4.0
> bundle) as I want them to drop connections if Kerberos authentication
> fails. Yet, it seems that it just doesn't work. If I just don't put any
> "Client" section in our Kafka brokers JAAS file, The brokers logs show that
> the authentication fails but the connection to zookeepers doesn't end.
>
> Also, if I try the kafka-acls command without a JAAS file, it also work
> even if it shouldn't:
>
> [root@server ~]# kafka-acls --authorizer-properties
> zookeeper.connect=zookeeper-server:2181 --add --allow-principal
> User:CLIENT --consumer --topic test1 --group test
> [2018-02-01 10:25:41,730] WARN SASL configuration failed:
> javax.security.auth.login.LoginException: No JAAS configuration section
> named 'Client' was found in specified JAAS configuration file:
> '/root/jaas.conf'. Will continue connection to Zookeeper server without
> SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.
> ClientCnxn)
> Adding ACLs for resource `Topic:test1`:
>         User:CLIENT has Allow permission for operations: Read from hosts: *
>         User:CLIENT has Allow permission for operations: Describe from
> hosts: *
>
> Adding ACLs for resource `Group:test`:
>         User:CLIENT has Allow permission for operations: Read from hosts: *
> ...
>
> I've read that this property only applies to Java clients but Kafka
> brokers and kafka-acls command are Java clients..!
>
> Thanks,
>
> Dominique Gagnon
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message