zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aparajita Singh <aparajita.1...@gmail.com>
Subject Re: Zookeeper client fails during SASL authentication
Date Thu, 11 Jun 2020 11:28:15 GMT
Thanks Mate and Arpit, I'll check out your suggestions.

Jorn,

   1. Did you register the service principal correctly in your AD/KDC?
      1. yes, the client and principals are registered in KDC. using kinit
      with keytab on the remote server was generating the TGT as expected.
   2. If AD then did you make sure that the attribute for the user is
   activated to enable AES256 Kerberos auth?
      1. i'm using KDC, AES256 was enabled by default. i changed the
      kdc.conf file to use only AES128 but zookeeper is still using AES256. i'm
      looking to see if there is a config i have missed out somewhere during
      zookeeper startup which is forcing it to use AES256 always.
   3. Do you have unlimited crypto policies installed with your JDK?
      1. yes, i verified this by checking if US_export_policy.jar and
      local_policy.jar files are present in
$JAVA_HOME/jre/lib/security/unlimited
   4. Is the keytab accessible to zk?
      1. yes
   5. Did you create keytab with AES256 encryption type?
      1. yes, keytab had 2 entries for each principal corresponding to
      AES256 and AES128


On Thu, 11 Jun 2020 at 16:30, Jörn Franke <jornfranke@gmail.com> wrote:

> Kerberos can be quite a beast for any application. I managed to use
> Kerberos authentication for Zookeeper a couple of times. Usually the error
> messages in Java are meaningless.
>
> Did you register the service principal correctly in your AD/KDC?
>
> If AD then did you make sure that the attribute for the user is activated
> to enable AES256 Kerberos auth?
>
> Do you have unlimited crypto policies installed with your JDK?
>
> Is the keytab accessible to zk?
>
> Did you create keytab with AES256 encryption type?
>
>
> > Am 10.06.2020 um 14:35 schrieb Aparajita Singh <aparajita.1194@gmail.com
> >:
> >
> > 
> >>
> >>
> >> Hi,
> >>
> >> I am trying to migrate an unauthenticated zookeeper cluster to a
> kerberos
> >> authenticated one. For the time being SSL is disabled. I have configured
> >> the server and client as described below but when SASL is enabled I am
> >> unable to retreive data using zookeeper shell client from the zookeeper
> >> server. Could I get some help in understanding why this is failing?
> >>
> >> server.log snippet
> >>
> >> 2020-06-10 17:09:01,263 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] - Accepted socket
> >> connection from /127.0.0.1:44994
> >>
> >> 2020-06-10 17:09:01,264 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing mntr command from
> /
> >> 127.0.0.1:44994
> >>
> >> 2020-06-10 17:09:01,265 - INFO  [Thread-5:NIOServerCnxn@1007] - Closed
> >> socket connection for client /127.0.0.1:44994 (no session established
> for
> >> client)
> >>
> >> 2020-06-10 17:09:26,647 - INFO  [main:Environment@100] - Client
> >> environment:zookeeper.version=3.4.6-169--1, built on 02/10/2016 05:49
> GMT
> >>
> >> 2020-06-10 17:09:26,649 - INFO  [main:Environment@100] - Client
> >> environment:host.name=stage-kdc-zk-ivy
> >>
> >> 2020-06-10 17:09:26,649 - INFO  [main:Environment@100] - Client
> >> environment:java.version=1.8.0_172
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >> environment:java.vendor=Oracle Corporation
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >> environment:java.home=/usr/lib/jvm/oracle-java8-jdk-amd64/jre
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >>
> environment:java.class.path=/usr/hdp/2.4.0.0-169/zookeeper/bin/../build/classes:/usr/hdp/2.4.0.0-169/zookeeper/bin/../build/lib/*.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/xercesMinimal-1.9.6.2.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/wagon-provider-api-2.4.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/wagon-http-shared4-2.4.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/wagon-http-shared-1.0-beta-6.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/wagon-http-lightweight-1.0-beta-6.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/wagon-http-2.4.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/wagon-file-1.0-beta-6.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/slf4j-api-1.6.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/plexus-utils-3.0.8.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/plexus-interpolation-1.11.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/plexus-container-default-1.0-alpha-9-stable-1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/netty-3.7.0.Final.jar:/usr/hdp/
> 2.4.0.
> 0-169/zookeeper/bin/../lib/nekohtml-1.9.6.2.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-settings-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-repository-metadata-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-project-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-profile-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-plugin-registry-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-model-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-error-diagnostics-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-artifact-manager-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-artifact-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/maven-ant-tasks-2.1.3.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/log4j-1.2.16.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/jsoup-1.7.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/jline-0.9.94.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/httpcore-4.2.3.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/httpclient-4.2.3.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/commons-logging-1.1.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/commons-io-2.2.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/commons-codec-1.6.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/classworlds-1.1-alpha-2.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/backport-util-concurrent-3.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/apache-log4j-extras-1.2.17.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/ant-launcher-1.8.0.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../lib/ant-1.8.0.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../zookeeper-3.4.6.2.4.0.0-169.jar:/usr/hdp/2.4.0.0-169/zookeeper/bin/../src/java/lib/*.jar:/usr/hdp/2.4.0.0-169/zookeeper/conf::/usr/hdp/2.4.0.0-169/zookeeper/conf:/usr/hdp/2.4.0.0-169/zookeeper/zookeeper.jar:/usr/hdp/
> 2.4.0.
> 0-169/zookeeper/zookeeper-3.4.6.2.4.0.0-169.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/slf4j-log4j12-1.6.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/slf4j-api-1.6.1.jar:/usr/hdp/
> 2.4.0.
> 0-169/zookeeper/lib/classworlds-1.1-alpha-2.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-model-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/httpcore-4.2.3.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/plexus-container-default-1.0-alpha-9-stable-1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/ant-launcher-1.8.0.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/plexus-utils-3.0.8.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/jline-0.9.94.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/wagon-http-2.4.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-settings-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/log4j-1.2.16.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/netty-3.7.0.Final.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/commons-codec-1.6.jar:/usr/hdp/
> 2.4.0.
> 0-169/zookeeper/lib/commons-io-2.2.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/nekohtml-1.9.6.2.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/backport-util-concurrent-3.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/apache-log4j-extras-1.2.17.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/ant-1.8.0.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/xercesMinimal-1.9.6.2.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/commons-logging-1.1.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/httpclient-4.2.3.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-profile-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-error-diagnostics-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-project-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/jsoup-1.7.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/plexus-interpolation-1.11.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-plugin-registry-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/wagon-http-shared-1.0-beta-6.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-repository-metadata-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/wagon-http-lightweight-1.0-beta-6.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-ant-tasks-2.1.3.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/wagon-http-shared4-2.4.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/wagon-provider-api-2.4.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-artifact-manager-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/maven-artifact-2.2.1.jar:/usr/hdp/2.4.0.0-169/zookeeper/lib/wagon-file-1.0-beta-6.jar:/usr/share/zookeeper/*
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >>
> environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >> environment:java.io.tmpdir=/tmp
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >> environment:java.compiler=<NA>
> >>
> >> 2020-06-10 17:09:26,651 - INFO  [main:Environment@100] - Client
> >> environment:os.name=Linux
> >>
> >> 2020-06-10 17:09:26,652 - INFO  [main:Environment@100] - Client
> >> environment:os.arch=amd64
> >>
> >> 2020-06-10 17:09:26,652 - INFO  [main:Environment@100] - Client
> >> environment:os.version=4.9.0-9-amd64
> >>
> >> 2020-06-10 17:09:26,652 - INFO  [main:Environment@100] - Client
> >> environment:user.name=root
> >>
> >> 2020-06-10 17:09:26,652 - INFO  [main:Environment@100] - Client
> >> environment:user.home=/root
> >>
> >> 2020-06-10 17:09:26,652 - INFO  [main:Environment@100] - Client
> >> environment:user.dir=/home/aparajita.singh
> >>
> >> 2020-06-10 17:09:26,653 - INFO  [main:ZooKeeper@438] - Initiating
> client
> >> connection, connectString=stage-kdc-zk-ivy sessionTimeout=30000
> >> watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@379619aa
> >>
> >> 2020-06-10 17:09:26,752 - INFO
> >> [main-SendThread(stage-kdc-zk-ivy:2181):Login@293] - successfully
> logged
> >> in.
> >>
> >> 2020-06-10 17:09:26,753 - INFO  [Thread-0:Login$1@127] - TGT refresh
> >> thread started.
> >>
> >> 2020-06-10 17:09:26,757 - INFO
> >> [main-SendThread(stage-kdc-zk-ivy:2181):ZooKeeperSaslClient$1@285] -
> >> Client will use GSSAPI as SASL mechanism.
> >>
> >> 2020-06-10 17:09:26,758 - INFO  [Thread-0:Login@301] - TGT valid
> starting
> >> at:        Wed Jun 10 15:17:21 IST 2020
> >>
> >> 2020-06-10 17:09:26,758 - INFO  [Thread-0:Login@302] - TGT expires:
> >>            Thu Jun 11 15:17:21 IST 2020
> >>
> >> 2020-06-10 17:09:26,758 - INFO  [Thread-0:Login$1@181] - TGT refresh
> >> sleeping until: Thu Jun 11 11:17:04 IST 2020
> >>
> >> 2020-06-10 17:09:26,799 - INFO
> >> [main-SendThread(stage-kdc-zk-ivy:2181):ClientCnxn$SendThread@1019] -
> >> Opening socket connection to server stage-kdc-zk-ivy/10.33.203.225:2181
> .
> >> Will attempt to SASL-authenticate using Login Context section 'Client'
> >>
> >> 2020-06-10 17:09:26,854 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] - Accepted socket
> >> connection from /10.33.203.225:45018
> >>
> >> 2020-06-10 17:09:26,854 - INFO
> >> [main-SendThread(stage-kdc-zk-ivy:2181):ClientCnxn$SendThread@864] -
> >> Socket connection established to stage-kdc-zk-ivy/10.33.203.225:2181,
> >> initiating session
> >>
> >> 2020-06-10 17:09:26,856 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:ZooKeeperServer@868] - Client attempting to
> >> establish new session at /10.33.203.225:45018
> >>
> >> 2020-06-10 17:09:26,859 - INFO  [CommitProcessor:88:ZooKeeperServer@617
> ]
> >> - Established session 0x58729e0540980002 with negotiated timeout 30000
> for
> >> client /10.33.203.225:45018
> >>
> >> 2020-06-10 17:09:26,861 - INFO
> >> [main-SendThread(stage-kdc-zk-ivy:2181):ClientCnxn$SendThread@1279] -
> >> Session establishment complete on server stage-kdc-zk-ivy/
> >> 10.33.203.225:2181, sessionid = 0x58729e0540980002, negotiated timeout
> =
> >> 30000
> >>
> >> 2020-06-10 17:09:27,007 - WARN  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:ZooKeeperServer@969] - Client failed to SASL
> >> authenticate: javax.security.sasl.SaslException: GSS initiate failed
> >> [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism
> >> level: Invalid argument (400) - Cannot find key of appropriate type to
> >> decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)]
> >>
> >> 2020-06-10 17:09:27,007 - WARN  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:ZooKeeperServer@975] - Closing client connection
> due
> >> to SASL authentication failure.
> >>
> >> 2020-06-10 17:09:27,007 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1007] - Closed socket connection for
> >> client /10.33.203.225:45018 which had sessionid 0x58729e0540980002
> >>
> >> 2020-06-10 17:09:27,008 - ERROR [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxn@178] - Unexpected Exception:
> >>
> >> java.nio.channels.CancelledKeyException
> >>
> >> at sun.nio.ch.SelectionKeyImpl.ensureValid(SelectionKeyImpl.java:73)
> >>
> >> at sun.nio.ch.SelectionKeyImpl.interestOps(SelectionKeyImpl.java:77)
> >>
> >> at
> >>
> org.apache.zookeeper.server.NIOServerCnxn.sendBuffer(NIOServerCnxn.java:151)
> >>
> >> at
> >>
> org.apache.zookeeper.server.NIOServerCnxn.sendResponse(NIOServerCnxn.java:1081)
> >>
> >> at
> >>
> org.apache.zookeeper.server.ZooKeeperServer.processPacket(ZooKeeperServer.java:936)
> >>
> >> at
> >>
> org.apache.zookeeper.server.NIOServerCnxn.readRequest(NIOServerCnxn.java:373)
> >>
> >> at
> >>
> org.apache.zookeeper.server.NIOServerCnxn.readPayload(NIOServerCnxn.java:200)
> >>
> >> at
> org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:244)
> >>
> >> at
> >>
> org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:208)
> >>
> >> at java.lang.Thread.run(Thread.java:748)
> >>
> >> 2020-06-10 17:09:27,008 - INFO
> >> [main-SendThread(stage-kdc-zk-ivy:2181):ClientCnxn$SendThread@1142] -
> >> Unable to read additional data from server sessionid 0x58729e0540980002,
> >> likely server has closed socket, closing socket connection and
> attempting
> >> reconnect
> >>
> >> 2020-06-10 17:09:27,008 - WARN  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxn@346] - Exception causing close of
> >> session 0x58729e0540980002 due to
> java.nio.channels.CancelledKeyException
> >>
> >> 2020-06-10 17:10:01,317 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197] - Accepted socket
> >> connection from /127.0.0.1:45004
> >>
> >> 2020-06-10 17:10:01,318 - INFO  [NIOServerCxn.Factory:
> >> 0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing mntr command from
> /
> >> 127.0.0.1:45004
> >>
> >>
> >>
> >> zookeeper shell client output
> >>
> >> aparajita.singh@stage-kdc-zk-ivy:~$ sudo
> >> /usr/hdp/2.4.0.0-169/zookeeper/bin/zookeeper-client -server
> >> stage-kdc-zk-ivy get /test2
> >>
> >> log4j:WARN Large window sizes are not allowed.
> >>
> >> log4j:WARN MaxIndex reduced to 13.
> >>
> >> Connecting to stage-kdc-zk-ivy
> >>
> >> Debug is  true storeKey false useTicketCache true useKeyTab true
> >> doNotPrompt true ticketCache is /tmp/krb5cc_0 isInitiator true KeyTab is
> >> /etc/krb5.keytab refreshKrb5Config is false principal is
> >> zookeeper/stage-kdc-zk-ivy@stage.fdp.kafka tryFirstPass is false
> >> useFirstPass is false storePass is false clearPass is false
> >>
> >> Acquire TGT from Cache
> >>
> >> Principal is zookeeper/stage-kdc-zk-ivy@stage.fdp.kafka
> >>
> >> null credentials from Ticket Cache
> >>
> >> principal is zookeeper/stage-kdc-zk-ivy@stage.fdp.kafka
> >>
> >> Will use keytab
> >>
> >> Commit Succeeded
> >>
> >>
> >>
> >> WATCHER::
> >>
> >>
> >> WatchedEvent state:SyncConnected type:None path:null
> >>
> >>
> >> WATCHER::
> >>
> >>
> >> WatchedEvent state:Disconnected type:None path:null
> >>
> >> Exception in thread "main"
> >> org.apache.zookeeper.KeeperException$ConnectionLossException:
> >> KeeperErrorCode = ConnectionLoss for /test2
> >>
> >> at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
> >>
> >> at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> >>
> >> at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
> >>
> >> at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
> >>
> >> at
> org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:717)
> >>
> >> at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:591)
> >>
> >> at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:354)
> >>
> >> at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:282)
> >>
> >> zoo.cfg
> >>
> >> #setACL=False
> >>
> >> autopurge.snapRetainCount=30
> >>
> >> tickTime=2000
> >>
> >> dataDir=/grid/1/var/lib/zookeeper
> >>
> >> zookeeper_jmx_port=9009
> >>
> >> initLimit=100
> >>
> >> syncLimit=5
> >>
> >> autopurge.purgeInterval=24
> >>
> >> clientPort=2181
> >>
> >> globalOutstandingLimit=5000
> >>
> >> maxClientCnxns=2000
> >>
> >> server.99=stage-kdc-zk-harley:2888:3888
> >>
> >> server.88=stage-kdc-zk-ivy:2888:3888
> >>
> >> server.77=stage-kdc-zk-2face:2888:3888
> >>
> >>
> >>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> >>
> >> requireClientAuthScheme=sasl
> >>
> >>
> >> quorum.auth.enableSasl=true
> >>
> >> quorum.auth.learnerRequireSasl=true
> >>
> >> quorum.auth.serverRequireSasl=true
> >>
> >>
> quorum.auth.kerberos.servicePrincipal=host/stage-kdc-zk-ivy@stage.fdp.kafka
> >>
> >> quorum.cnxn.threads.size=20
> >>
> >>
> >>
> >> java.env
> >>
> >> SERVER_JVMFLAGS="${SERVER_JVMFLAGS}
> >> -Djava.security.auth.login.config=/home/aparajita.singh/jaas/jaas.conf
> >>
> -Dzookeeper.authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> >> -Dsun.security.krb5.debug=true"
> >>
> >> CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS}
> >> -Djava.security.auth.login.config=/home/aparajita.singh/jaas/client.conf
> >>
> -Dzookeeper.authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> >> -Dsun.security.krb5.debug=true"
> >>
> >>
> >> /home/aparajita.singh/jaas/jaas.conf
> >>
> >> // Zookeeper server authentication
> >>
> >> Server {
> >>
> >>    com.sun.security.auth.module.Krb5LoginModule required
> >>
> >>    useKeyTab=true
> >>
> >>    useTicketCache=false
> >>
> >>    //ticketCache="/tmp/krb5cc_0"
> >>
> >>    renewTicket=true
> >>
> >>    doNotPrompt=true
> >>
> >>    debug=true
> >>
> >>    keyTab="/etc/krb5.keytab"
> >>
> >>    serviceName="host"
> >>
> >>    principal="host/stage-kdc-zk-ivy@stage.fdp.kafka";
> >>
> >>    };
> >>
> >>
> >> // Zookeeper quorum server authentication
> >>
> >> QuorumServer {
> >>
> >>    com.sun.security.auth.module.Krb5LoginModule required
> >>
> >>    useKeyTab=true
> >>
> >>    useTicketCache=false
> >>
> >>    //ticketCache="/tmp/krb5cc_0"
> >>
> >>    renewTicket=true
> >>
> >>    doNotPrompt=true
> >>
> >>    debug=true
> >>
> >>    keyTab="/etc/krb5.keytab"
> >>
> >>    serviceName="host"
> >>
> >>    principal="host/stage-kdc-zk-ivy@stage.fdp.kafka";
> >>
> >>    };
> >>
> >>
> >> // Zookeeper learner authentication
> >>
> >> QuorumLearner {
> >>
> >>    com.sun.security.auth.module.Krb5LoginModule required
> >>
> >>    useKeyTab=true
> >>
> >>    useTicketCache=false
> >>
> >>    //ticketCache="/tmp/krb5cc_0"
> >>
> >>    renewTicket=true
> >>
> >>    doNotPrompt=true
> >>
> >>    debug=true
> >>
> >>    keyTab="/etc/krb5.keytab"
> >>
> >>    serviceName="host"
> >>
> >>    principal="host/stage-kdc-zk-ivy@stage.fdp.kafka";
> >>
> >>    };
> >>
> >>
> >>
> >> /home/aparajita.singh/jaas/client.conf
> >>
> >> // Zookeeper client authentication
> >>
> >> Client {
> >>
> >>    com.sun.security.auth.module.Krb5LoginModule required
> >>
> >>    useKeyTab=true
> >>
> >>    useTicketCache=true
> >>
> >>    ticketCache="/tmp/krb5cc_0"
> >>
> >>    renewTicket=true
> >>
> >>    doNotPrompt=true
> >>
> >>    debug=true
> >>
> >>    keyTab="/etc/krb5.keytab"
> >>
> >>    serviceName="zookeeper"
> >>
> >>    principal="zookeeper/stage-kdc-zk-ivy@stage.fdp.kafka";
> >>
> >>    };
> >>
> >>
> >> Using kinit command I am able to generate the TGT for both principals.
> As
> >> per the zookeeper server log, the TGT can be generated as expected. The
> >> keytab file is accessible to all system users for now.
> >>
> >> aparajita.singh@stage-kdc-zk-ivy:~$ sudo /krb5/bin/kinit
> >> zookeeper/stage-kdc-zk-ivy@stage.fdp.kafka -k -t /etc/krb5.keytab
> >>
> >> aparajita.singh@stage-kdc-zk-ivy:~$ sudo /krb5/bin/kinit
> >> host/stage-kdc-zk-ivy@stage.fdp.kafka -k -t /etc/krb5.keytab
> >>
> >>
> >> --
> >> Thanks,
> >> Aparajita
> >>
>


-- 
Thanks,
Aparajita

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message