zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kashtan <djkash...@gmail.com>
Subject Re: Zookeeper server with SASL allows any old zkCli instance to connect
Date Wed, 26 Aug 2015 14:58:23 GMT
As an update, I found out that this issue is not confined to just zkCli.sh.
If I launch my java applications that create zookeeper clients without the
JVM argument "-Djava.security.auth.login.config=<my-client-jaas.conf>",
then my client can log in to my zookeeper server. Why is it that my
zookeeper client is rejected if I have the wrong password in my client
jaas.conf file, but if I fail to specify my client as using any security,
it just connects to the server? Surely I am missing something on my server
side to block these client connections right?

On Tue, Aug 25, 2015 at 5:37 PM, Daniel Kashtan <djkashtan@gmail.com> wrote:

> I am using SASL with Digest-MD5 and I have the flag
> "-Dzookeeper.allowSaslFailedClients=false" set so that your connection is
> dropped from the Zookeeper Server if your SASL authentication fails. This
> is great! This only works for the Zookeeper clients created in java code
> though.
> If I do a zkCli.sh -server then I can connect to my
> Zookeeper server with no issues. This is unexpected behavior to me. It even
> says in the output from zkCli.sh, "Will not attempt to authenticate using
> SASL." How does this still work? I configured the Zookeeper server to drop
> those connection attempts.
> After much searching I turned up this link
> <https://groups.google.com/a/cloudera.org/forum/#!topic/cdh-user/Hxqv7b2957w>,
> but it is just some forum post for CDH. Is this true? The thought of
> setting ACLs on all my znodes is daunting and verbose. Please let me know
> if setting ACL nodes using SASL is my best and/or only option for securing
> zkCli.sh and my Zookeeper server in general.
> --
> -Daniel


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message