From user-return-11237-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Thu Feb 1 20:09:02 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 2C645180652 for ; Thu, 1 Feb 2018 20:09:02 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 1BA10160C44; Thu, 1 Feb 2018 19:09:02 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 63545160C35 for ; Thu, 1 Feb 2018 20:09:01 +0100 (CET) Received: (qmail 10416 invoked by uid 500); 1 Feb 2018 19:09:00 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 10405 invoked by uid 99); 1 Feb 2018 19:08:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Feb 2018 19:08:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id E7E121A678E for ; Thu, 1 Feb 2018 19:08:58 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.99 X-Spam-Level: ** X-Spam-Status: No, score=2.99 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id YTgHG0kJLXRR for ; Thu, 1 Feb 2018 19:08:56 +0000 (UTC) Received: from ul-exc-pr-as02.ulaval.ca (ul-exc-pr-as02.ulaval.ca [132.203.244.30]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 13F285FBFE for ; Thu, 1 Feb 2018 19:08:55 +0000 (UTC) Received: from ul-exc-pr-edg02.ulaval.ca ([132.203.244.27]) by ul-exc-pr-as02.ulaval.ca with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Feb 2018 14:08:55 -0500 Received: from ul-exc-pr-mbx16.ulaval.ca (10.40.67.116) by UL-EXC-PR-EDG02.ulaval.ca (132.203.244.27) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 1 Feb 2018 14:08:53 -0500 Received: from UL-EXC-PR-MBX14.ulaval.ca (10.40.67.114) by ul-exc-pr-mbx16.ulaval.ca (10.40.67.116) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 1 Feb 2018 14:08:54 -0500 Received: from UL-EXC-PR-MBX14.ulaval.ca ([fe80::a8a2:16b3:a637:6708]) by ul-exc-pr-mbx14.ulaval.ca ([fe80::a8a2:16b3:a637:6708%23]) with mapi id 15.00.1320.000; Thu, 1 Feb 2018 14:08:54 -0500 From: Dominique Gagnon To: "user@zookeeper.apache.org" CC: =?iso-8859-1?Q?Martin_Ch=E9nier?= , "Daniel Bouchard" , David Lacharite Subject: zookeeper.allowSaslFailedClients property Thread-Topic: zookeeper.allowSaslFailedClients property Thread-Index: AdObjzF8W1PsTaUbRBeAHP2GEjOoMA== Date: Thu, 1 Feb 2018 19:08:53 +0000 Message-ID: <1e1ffc1426bc4c75976d65b10345202c@ul-exc-pr-mbx14.ulaval.ca> Accept-Language: fr-CA, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [132.203.2.70] Content-Type: multipart/alternative; boundary="_000_1e1ffc1426bc4c75976d65b10345202culexcprmbx14ulavalca_" MIME-Version: 1.0 --_000_1e1ffc1426bc4c75976d65b10345202culexcprmbx14ulavalca_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I've added "-Dzookeeper.allowSaslFailedClients=3Dfalse" to the startup argu= ments of my three zookeepers servers (version 3.4.10 from Confluent 4.0 bun= dle) as I want them to drop connections if Kerberos authentication fails. Y= et, it seems that it just doesn't work. If I just don't put any "Client" se= ction in our Kafka brokers JAAS file, The brokers logs show that the authen= tication fails but the connection to zookeepers doesn't end. Also, if I try the kafka-acls command without a JAAS file, it also work eve= n if it shouldn't: [root@server ~]# kafka-acls --authorizer-properties zookeeper.connect=3Dzoo= keeper-server:2181 --add --allow-principal User:CLIENT --consumer --topic t= est1 --group test [2018-02-01 10:25:41,730] WARN SASL configuration failed: javax.security.au= th.login.LoginException: No JAAS configuration section named 'Client' was f= ound in specified JAAS configuration file: '/root/jaas.conf'. Will continue= connection to Zookeeper server without SASL authentication, if Zookeeper s= erver allows it. (org.apache.zookeeper.ClientCnxn) Adding ACLs for resource `Topic:test1`: User:CLIENT has Allow permission for operations: Read from hosts: * User:CLIENT has Allow permission for operations: Describe from host= s: * Adding ACLs for resource `Group:test`: User:CLIENT has Allow permission for operations: Read from hosts: * ... I've read that this property only applies to Java clients but Kafka brokers= and kafka-acls command are Java clients..! Thanks, Dominique Gagnon --_000_1e1ffc1426bc4c75976d65b10345202culexcprmbx14ulavalca_--