zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abraham Fine <af...@apache.org>
Subject Re: SASL for Client connections
Date Tue, 13 Mar 2018 20:07:33 GMT
This is related to a long standing bug in our documentation (see: ZOOKEEPER-2668). requireClientAuthScheme
does not actually do anything. It is never read by the code.


On Thu, Mar 8, 2018, at 21:40, Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore) wrote:
> Hi Abe,
> 
> We are trying to understand the difference between setting
> requireClientAuthScheme=sasl 
> and
> requireClientAuthScheme=all
> When a client does not have a valid Kerberos ticket, the behaviour is 
> the same for either of the above settings. Whereas we'd've expected the 
> client to not be able to connect when requireClientAuthScheme=sasl.
> To restrict such connections, should we also set 
> zookeeper.allowSaslFailedClients=false?
> 
> Regards
> Shirsha
> 
> -----Original Message-----
> From: Abraham Fine [mailto:afine@apache.org] 
> Sent: Friday, March 9, 2018 12:31 AM
> To: user@zookeeper.apache.org
> Subject: Re: SASL for Client connections
> 
> Hi Harish-
> 
> Currently there is no way to restrict ALL incoming client connections 
> when using SASL.
> 
> In ZooKeeper, SASL works on a node by node basis.
> 
> Thanks,
> Abe
> 
> On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> > Hi,
> > 
> > I have enabled SASL on my Zookeeper, with below configuration.
> > 
> > *requireClientAuthScheme=sasl*
> > *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> > vider*
> > 
> > But still I see that, I am able to connect to zookeeper even without a 
> > valid kerberos ticket.
> > Is there a way to restrict all client connections only with valid 
> > kerberos ticket.
> > 
> > Zookeeper Version - 3.4.8
> > 
> > 
> > Thanks,
> > Harish

Mime
View raw message