Hi Guilherme, > I am not using ZK with Kafka yet. I use ZK to store lots of information and > they are getting more important and critical to our applications, so having > authentication working properly is becoming a requirement. Sure. > Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in > the process running, the argument is being passed correctly, but zookeeper > is still allowing anonymous connections. Configuring JAAS is one half of the puzzle. The half you seem to be missing is 'sessionRequireClientSASLAuth', as provided and documented in versions 3.6+: https://zookeeper.apache.org/doc/r3.6.2/zookeeperAdmin.html >> zookeeper.sessionRequireClientSASLAuth : (Java system property only: >> zookeeper.sessionRequireClientSASLAuth) New in 3.6.0: When set to >> true, ZooKeeper server will only accept connections and requests from >> clients that have authenticated with server via SASL. […] > ( I dont think *requireClientAuthScheme=sasl* is being considered) Indeed. I see lots of reference to 'requireClientAuthScheme' on the Internet, but that is not a recognized property! HTH, -D --- Original message follows --- Guilherme Ramos writes: > Hi again! > > I am not using ZK with Kafka yet. I use ZK to store lots of information and > they are getting more important and critical to our applications, so having > authentication working properly is becoming a requirement. > > So, as Enrico Olivelli asked in the other email, here it is: > > *docker-compose:* > zk: > image: zookeeper > restart: always > container_name: zk > networks: > net: > ipv4_address: 172.30.0.100 > ports: > - 3181:2181 > - 2180:8080 > environment: > - ZOO_AUTOPURGE_PURGEINTERVAL:12 > #- ZOO_CLIENT_USER:user_super > #- ZOO_CLIENT_PASSWORD:secret > #- ZOO_ENABLE_AUTH:yes > - JVMFLAGS=-Djava.security.auth.login.config=/conf/zoo_jaas.conf > volumes: > - /var/data/services/zk/data:/data > - /var/data/services/zk/datalog:/datalog > - /var/data/services/zk/conf:/conf > - /var/data/services/zk/logs:/logs > > First, I tried to use those commented out environment variables(in red). No > success. > Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in > the process running, the argument is being passed correctly, but zookeeper > is still allowing anonymous connections. > > > */conf/zoo.cfg* > clientPort=2181 > dataDir=/data > dataLogDir=/datalog > tickTime=2000 > initLimit=5 > syncLimit=2 > autopurge.snapRetainCount=3 > autopurge.purgeInterval=0 > maxClientCnxns=60 > standaloneEnabled=true > admin.enableServer=false > server.1=localhost:2888:3888;2181 > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > *requireClientAuthScheme=sasl * > > ( I dont think *requireClientAuthScheme=sasl* is being considered) > > *zoo_jaas.conf* > Client { > org.apache.zookeeper.server.auth.DigestLoginModule required > username="client" > password="client_password"; > }; > Server { > org.apache.zookeeper.server.auth.DigestLoginModule required > user_kafka="kafka_password"; > }; > > > In the past, our company would only allow JBOSS deployments. So I was > embedding zookeeper as a web app, starting the QuorumPeerMain class > manually and that worked perfectly. > It was version 3.4.0, if I am not wrong. > > This time I dont want to extend docker images, I would like to use your > original one, making use of proper configuration. > > Please, please, please help me. > > Thank you in advance, > Guiherme