Hi Guilherme,
> I am not using ZK with Kafka yet. I use ZK to store lots of information and
> they are getting more important and critical to our applications, so having
> authentication working properly is becoming a requirement.
Sure.
> Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in
> the process running, the argument is being passed correctly, but zookeeper
> is still allowing anonymous connections.
Configuring JAAS is one half of the puzzle. The half you seem to be
missing is 'sessionRequireClientSASLAuth', as provided and documented in
versions 3.6+:
https://zookeeper.apache.org/doc/r3.6.2/zookeeperAdmin.html
>> zookeeper.sessionRequireClientSASLAuth : (Java system property only:
>> zookeeper.sessionRequireClientSASLAuth) New in 3.6.0: When set to
>> true, ZooKeeper server will only accept connections and requests from
>> clients that have authenticated with server via SASL. […]
> ( I dont think *requireClientAuthScheme=sasl* is being considered)
Indeed. I see lots of reference to 'requireClientAuthScheme' on the
Internet, but that is not a recognized property!
HTH, -D
--- Original message follows ---
Guilherme Ramos <guiramos@gmail.com> writes:
> Hi again!
>
> I am not using ZK with Kafka yet. I use ZK to store lots of information and
> they are getting more important and critical to our applications, so having
> authentication working properly is becoming a requirement.
>
> So, as Enrico Olivelli asked in the other email, here it is:
>
> *docker-compose:*
> zk:
> image: zookeeper
> restart: always
> container_name: zk
> networks:
> net:
> ipv4_address: 172.30.0.100
> ports:
> - 3181:2181
> - 2180:8080
> environment:
> - ZOO_AUTOPURGE_PURGEINTERVAL:12
> #- ZOO_CLIENT_USER:user_super
> #- ZOO_CLIENT_PASSWORD:secret
> #- ZOO_ENABLE_AUTH:yes
> - JVMFLAGS=-Djava.security.auth.login.config=/conf/zoo_jaas.conf
> volumes:
> - /var/data/services/zk/data:/data
> - /var/data/services/zk/datalog:/datalog
> - /var/data/services/zk/conf:/conf
> - /var/data/services/zk/logs:/logs
>
> First, I tried to use those commented out environment variables(in red). No
> success.
> Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in
> the process running, the argument is being passed correctly, but zookeeper
> is still allowing anonymous connections.
>
>
> */conf/zoo.cfg*
> clientPort=2181
> dataDir=/data
> dataLogDir=/datalog
> tickTime=2000
> initLimit=5
> syncLimit=2
> autopurge.snapRetainCount=3
> autopurge.purgeInterval=0
> maxClientCnxns=60
> standaloneEnabled=true
> admin.enableServer=false
> server.1=localhost:2888:3888;2181
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> *requireClientAuthScheme=sasl *
>
> ( I dont think *requireClientAuthScheme=sasl* is being considered)
>
> *zoo_jaas.conf*
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="client"
> password="client_password";
> };
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_kafka="kafka_password";
> };
>
>
> In the past, our company would only allow JBOSS deployments. So I was
> embedding zookeeper as a web app, starting the QuorumPeerMain class
> manually and that worked perfectly.
> It was version 3.4.0, if I am not wrong.
>
> This time I dont want to extend docker images, I would like to use your
> original one, making use of proper configuration.
>
> Please, please, please help me.
>
> Thank you in advance,
> Guiherme
|