zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Szalay-Bekő Máté <szalay.beko.m...@gmail.com>
Subject Re: ZooKeeper in secure mode
Date Thu, 16 Jan 2020 15:15:17 GMT
Hi Praveen,

Regarding SASL, some useful links:
-
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
(I
just updated this page today)
- I was also checking the Kerberos JAAS configs when I tried these things
locally:
https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
- this is a good howto as well: https://github.com/ekoontz/zookeeper/wiki
-
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication

In this Jira case you can see some zoo.cfg and client configs that we used
to test SASL + SSL:
https://issues.apache.org/jira/browse/ZOOKEEPER-3482?focusedCommentId=16998033&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16998033

With these configs we were managed to use ZooKeeper SASL + SSL on a real
Hadoop cluster using MIT Kerberos.

Mate

On Thu, Jan 16, 2020 at 10:39 AM Praveen Kumar K S <
praveen@securelyshare.com> wrote:

> Thanks Enrico. I was also looking at
> https://issues.apache.org/jira/browse/ZOOKEEPER-2220 who is facing same
> issue.
>
> I will try with your suggestion. My requirement is to enable SASL based
> authentication between server-server and client-server.
>
> Please advise if I'm looking at the right place or is there any better
> documentation.
>
> Regards,
> Praveen Kumar K S
> +91-9986855625
>
>
> On Thu, Jan 16, 2020 at 3:01 PM Enrico Olivelli - Diennea <
> enrico.olivelli@diennea.com> wrote:
>
> > Praveen
> > In order to use Netty it is better for you to use 3.5.6 that contains
> > Netty 4, ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it is
> > known to have security flaws and it is no more maintained
> >
> > Btw your problem looks like there is a missing class and it is weird
> >
> > Enrico
> >
> > Il giorno 16/01/20, 10:25 "Praveen Kumar K S" <
> praveen@securelyshare.com>
> > ha scritto:
> >
> >     Hello,
> >
> >     I'm looking for help on enabling authentication in zookeeper. Please
> > note
> >     below approach I have tried.
> >
> >     1. I followed
> >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
> >     2. I'm deploying zookeeper as single node using docker
> >     3. Zookeeper version is 3.4.13
> >     4. Below are some important environmental variables in zookeeper
> > container
> >
> >
> >
> CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
> >     -Dzookeeper.client.secure=true
> >
>  -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks
> >     -Dzookeeper.ssl.keyStore.password=XX@123
> >
> >
> -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks
> >     -Dzookeeper.ssl.trustStore.password=XX@123
> >
> >
> >
> SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> >
>  -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks
> >     -Dzookeeper.ssl.keyStore.password=XX@123
> >
> >
> -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks
> >     -Dzookeeper.ssl.trustStore.password=XX@123
> >
> >
> >
> zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory"
> >
> >     5. Below is conf file
> >     server.1=0.0.0.0:2888:3888
> >     secureClientPort=2281
> >     initLimit=5
> >     syncLimit=2
> >     tickTime=2000
> >     clientPort=2181
> >     clientPortAddress=zookeeper
> >     dataLogDir=/opt/vault/zookeeper/logs
> >     dataDir=/opt/vault/zookeeper/data
> >
> >     6. Zookeeper is healthy
> >     7. I tried connecting to Zookeeper server from my machine using
> > zkCli.sh.
> >     But getting below error
> >
> >     2020-01-16 14:21:27,798 [myid:] - INFO  [main:ZooKeeper@442] -
> > Initiating
> >     client connection, connectString=zookeeper:2281 sessionTimeout=30000
> >     watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca
> >     Exception in thread "main" java.io.IOException: Couldn't instantiate
> >     org.apache.zookeeper.ClientCnxnSocketNetty
> >     at
> > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851)
> >     at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:453)
> >     at
> > org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283)
> >     at org.apache.zookeeper.ZooKeeperMain.<init>(ZooKeeperMain.java:297)
> >     at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290)
> >     Caused by: java.lang.ClassNotFoundException:
> >     org.apache.zookeeper.ClientCnxnSocketNetty
> >     at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
> >     at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
> >     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
> >     at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> >     at java.lang.Class.forName0(Native Method)
> >     at java.lang.Class.forName(Class.java:264)
> >     at
> > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848)
> >     ... 4 more
> >
> >     8.Zookeeper is working fine on 2181
> >     9.I tried to connect Kafka to Zookeeper on port 2281. Getting below
> > error
> >
> >     [2020-01-16 09:12:07,477] INFO Initiating client connection,
> >     connectString=zookeeper:2281 sessionTimeout=6000
> >
> > watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@5c33f1a9
> >     (org.apache.zookeeper.ZooKeeper)
> >     [2020-01-16 09:12:07,488] INFO [ZooKeeperClient] Waiting until
> > connected.
> >     (kafka.zookeeper.ZooKeeperClient)
> >     [2020-01-16 09:12:07,489] INFO Opening socket connection to server
> >     zookeeper/172.16.13.2:2281. Will not attempt to authenticate using
> > SASL
> >     (unknown error) (org.apache.zookeeper.ClientCnxn)
> >     [2020-01-16 09:12:07,493] INFO Socket error occurred: zookeeper/
> >     172.16.13.2:2281: Connection refused
> (org.apache.zookeeper.ClientCnxn)
> >     [2020-01-16 09:12:08,599] INFO Opening socket connection to server
> >     zookeeper/172.16.13.2:2281. Will not attempt to authenticate using
> > SASL
> >     (unknown error) (org.apache.zookeeper.ClientCnxn)
> >
> >     Please help and advice.
> >
> >     Regards,
> >     Praveen Kumar K S
> >     +91-9986855625
> >
> >
> >
> > ________________________________
> >
> > CONFIDENTIALITY & PRIVACY NOTICE
> > This e-mail (including any attachments) is strictly confidential and may
> > also contain privileged information. If you are not the intended
> recipient
> > you are not authorised to read, print, save, process or disclose this
> > message. If you have received this message by mistake, please inform the
> > sender immediately and destroy this e-mail, its attachments and any
> copies.
> > Any use, distribution, reproduction or disclosure by any person other
> than
> > the intended recipient is strictly prohibited and the person responsible
> > may incur in penalties.
> > The use of this e-mail is only for professional purposes; there is no
> > guarantee that the correspondence towards this e-mail will be read only
> by
> > the recipient, because, under certain circumstances, there may be a need
> to
> > access this email by third subjects belonging to the Company.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message