zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore)" <shirsha.ray_chaudh...@nokia.com>
Subject RE: SASL for Client connections
Date Fri, 09 Mar 2018 04:40:38 GMT
Hi Abe,

We are trying to understand the difference between setting
When a client does not have a valid Kerberos ticket, the behaviour is the same for either
of the above settings. Whereas we'd've expected the client to not be able to connect when
To restrict such connections, should we also set zookeeper.allowSaslFailedClients=false?


-----Original Message-----
From: Abraham Fine [mailto:afine@apache.org] 
Sent: Friday, March 9, 2018 12:31 AM
To: user@zookeeper.apache.org
Subject: Re: SASL for Client connections

Hi Harish-

Currently there is no way to restrict ALL incoming client connections when using SASL.

In ZooKeeper, SASL works on a node by node basis.


On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> Hi,
> I have enabled SASL on my Zookeeper, with below configuration.
> *requireClientAuthScheme=sasl*
> *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> vider*
> But still I see that, I am able to connect to zookeeper even without a 
> valid kerberos ticket.
> Is there a way to restrict all client connections only with valid 
> kerberos ticket.
> Zookeeper Version - 3.4.8
> Thanks,
> Harish
View raw message