zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: Zookeeper server and client authentication
Date Mon, 06 Jan 2020 17:05:24 GMT
Thanks, great stuff! I’ve already forgotten about it.

So, this is the approach of enforcing clients to authenticate during connection. I reckon
another one which would let clients postponing authentication with ‘addAuth’ command:
https://issues.apache.org/jira/browse/ZOOKEEPER-2462

But that’s still open. Not a problem though, 3.6.0 is already super cool with this.

Andor




> On 2020. Jan 6., at 16:09, Enrico Olivelli <eolivelli@gmail.com> wrote:
> 
> Take a look to
> https://issues.apache.org/jira/browse/ZOOKEEPER-1634
> 
> Enrico
> 
> Il lun 6 gen 2020, 13:52 Andor Molnar <andor@apache.org> ha scritto:
> 
>> Are we going to release client authentication enforcement in 3.6?
>> I can’t remember a patch which implements it.
>> 
>> Andor
>> 
>> 
>> 
>> 
>>> On 2019. Dec 30., at 15:17, Enrico Olivelli <eolivelli@gmail.com> wrote:
>>> 
>>> Il lun 30 dic 2019, 14:55 shrikant kalani <shrikantkalani@gmail.com> ha
>>> scritto:
>>> 
>>>> Enrico,
>>>> 
>>>> Is 3.6 going to be available soon ? Within 1 month ?
>>>> 
>>> 
>>> I can't make promises.
>>> It is up to the community.
>>> I can say we are actively preparing the release.
>>> You will see, hopefully next week, a VOTE email thread on
>>> dev@zookeeper.apache.org mailing list.
>>> 
>>> If you try it and report that it is working for you, this will be a good
>>> contribution to the community
>>> 
>>> Cheers
>>> Enrico
>>> 
>>>> 
>>>> Thanks
>>>> Srikant Kalani
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolivelli@gmail.com>
>> wrote:
>>>>> 
>>>>> If you try to use wrong credentials, corrupted keytab...you won't
be
>>>> able
>>>>> to read/write.
>>>>> Connection maybe is allowed
>>>>> 
>>>>> Enrico
>>>>> 
>>>>> Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arpit6@gmail.com> ha
>> scritto:
>>>>> 
>>>>>> Just to confirm the settings I have in my environment:
>>>>>> 
>>>>>> 1. On ZK side, my JAAS file looks like this:
>>>>>> Server {
>>>>>>     com.sun.security.auth.module.Krb5LoginModule required
>>>>>>     useKeyTab=true
>>>>>>     keyTab="/conf/zoo1.keytab"
>>>>>>     storeKey=true
>>>>>>     useTicketCache=false
>>>>>>     principal="zookeeper/zoo1@EXAMPLE.COM";
>>>>>> };
>>>>>> The principal "*zookeeper/zoo1@EXAMPLE.COM <zoo1@EXAMPLE.COM>"*
has
>>>> been
>>>>>> created in Kerberos server running locally. I am able to start ZK
with
>>>> this
>>>>>> principal and I can see ticket exchange between ZK and Kerberos for
>> this
>>>>>> principal.
>>>>>> 
>>>>>> 2. On client (Curator) side, JAAS file looks like below. Principal
>>>>>> "*zkclient@EXAMPLE.COM
>>>>>> <zkclient@EXAMPLE.COM>"* is present in Kerberos server. The
curator
>> is
>>>>>> able
>>>>>> to connect properly to ZK (with or without principal) even though
SASL
>>>> is
>>>>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
>>>>>> authentication.
>>>>>> Client {
>>>>>>     com.sun.security.auth.module.Krb5LoginModule required
>>>>>>     useKeyTab=true
>>>>>>     keyTab="/tmp/zkclient.keytab"
>>>>>>     storeKey=true
>>>>>>     useTicketCache=false
>>>>>>     principal="zkclient@EXAMPLE.COM";
>>>>>> };
>>>>>> 
>>>>>> Just want to make sure my settings are correct.
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <
>> eolivelli@gmail.com>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> Arpit,
>>>>>>> Up to 3.5.x you can only leverage auth only in conjunction with
ACLs.
>>>>>>> 
>>>>>>> I hope we are able to release 3.6.0 within a couple of weeks.
>>>>>>> 
>>>>>>> If you have time you can build from branch-3.6 and run the server
>>>>>> enabling
>>>>>>> that feature tha you are pointing to.
>>>>>>> It is a server side change only so you can use 3.5 in your
>> application
>>>>>>> 
>>>>>>> 
>>>>>>> Enrico
>>>>>>> 
>>>>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkalani@gmail.com>
>>>> ha
>>>>>>> scritto:
>>>>>>> 
>>>>>>>> Couple of things which you can check -
>>>>>>>> 1) if your Zookeeper server is not running with Zookeeper
I’d then
>> you
>>>>>>>> need to set Zookeeper.sasl.client.username
>>>>>>>> 2) set java.security.auth.login.config
>>>>>>>> 
>>>>>>>> And I also faced the same issue that there is no strict enforcement
>> to
>>>>>>>> allow only authenticated client. Unless someone is aware
of the way
>> I
>>>>>>> doubt
>>>>>>>> we may need to wait for 3.6
>>>>>>>> 
>>>>>>>> Thanks
>>>>>>>> Srikant
>>>>>>>> 
>>>>>>>> Sent from my iPhone
>>>>>>>> 
>>>>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arpit6@gmail.com>
>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>> Hi,
>>>>>>>>> 
>>>>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication
using
>>>>>>>>> Kerberos. I am able to authenticate ZK with Kerberos
server but I
>>>>>> don't
>>>>>>>> see
>>>>>>>>> any authentication happening between Zookeeper client
(curator) and
>>>>>> ZK
>>>>>>>>> server. I have put the following setting in zoo.cfg and
followed
>> this
>>>>>>>> guide
>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>> 
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
>>>>>>>>> .
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>> 
>> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
>>>>>>>>> requireClientAuthScheme=sasl
>>>>>>>>> 
>>>>>>>>> What additional setting I need to provide so that only
>> authenticated
>>>>>>>>> clients (for which principals are present in Kerberos
server) can
>>>>>>> connect
>>>>>>>>> to ZK server ?
>>>>>>>>> I also found this link
>>>>>>>>> https://github.com/apache/zookeeper/pull/118/commits
which
>>>>>>>>> mentions that it will be strict only from ZK 3.6 onwards
and
>>>>>> currently
>>>>>>> ZK
>>>>>>>>> does not enforce it even if we have the configuration.
>>>>>>>>> 
>>>>>>>>> Thanks
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>> 
>> 
>> 


Mime
View raw message