zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore)" <shirsha.ray_chaudh...@nokia.com>
Subject RE: SASL for Client connections
Date Fri, 09 Mar 2018 04:40:38 GMT
Hi Abe,

We are trying to understand the difference between setting
requireClientAuthScheme=sasl 
and
requireClientAuthScheme=all
When a client does not have a valid Kerberos ticket, the behaviour is the same for either
of the above settings. Whereas we'd've expected the client to not be able to connect when
requireClientAuthScheme=sasl.
To restrict such connections, should we also set zookeeper.allowSaslFailedClients=false?

Regards
Shirsha

-----Original Message-----
From: Abraham Fine [mailto:afine@apache.org] 
Sent: Friday, March 9, 2018 12:31 AM
To: user@zookeeper.apache.org
Subject: Re: SASL for Client connections

Hi Harish-

Currently there is no way to restrict ALL incoming client connections when using SASL.

In ZooKeeper, SASL works on a node by node basis.

Thanks,
Abe

On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> Hi,
> 
> I have enabled SASL on my Zookeeper, with below configuration.
> 
> *requireClientAuthScheme=sasl*
> *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> vider*
> 
> But still I see that, I am able to connect to zookeeper even without a 
> valid kerberos ticket.
> Is there a way to restrict all client connections only with valid 
> kerberos ticket.
> 
> Zookeeper Version - 3.4.8
> 
> 
> Thanks,
> Harish
Mime
View raw message