You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Harish kumar <ha...@gmail.com> on 2018/03/08 11:58:02 UTC
SASL for Client connections
Hi,
I have enabled SASL on my Zookeeper, with below configuration.
*requireClientAuthScheme=sasl*
*authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider*
But still I see that, I am able to connect to zookeeper even without a
valid kerberos ticket.
Is there a way to restrict all client connections only with valid kerberos
ticket.
Zookeeper Version - 3.4.8
Thanks,
Harish
Re: SASL for Client connections
Posted by Abraham Fine <af...@apache.org>.
This is related to a long standing bug in our documentation (see: ZOOKEEPER-2668). requireClientAuthScheme does not actually do anything. It is never read by the code.
On Thu, Mar 8, 2018, at 21:40, Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore) wrote:
> Hi Abe,
>
> We are trying to understand the difference between setting
> requireClientAuthScheme=sasl
> and
> requireClientAuthScheme=all
> When a client does not have a valid Kerberos ticket, the behaviour is
> the same for either of the above settings. Whereas we'd've expected the
> client to not be able to connect when requireClientAuthScheme=sasl.
> To restrict such connections, should we also set
> zookeeper.allowSaslFailedClients=false?
>
> Regards
> Shirsha
>
> -----Original Message-----
> From: Abraham Fine [mailto:afine@apache.org]
> Sent: Friday, March 9, 2018 12:31 AM
> To: user@zookeeper.apache.org
> Subject: Re: SASL for Client connections
>
> Hi Harish-
>
> Currently there is no way to restrict ALL incoming client connections
> when using SASL.
>
> In ZooKeeper, SASL works on a node by node basis.
>
> Thanks,
> Abe
>
> On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> > Hi,
> >
> > I have enabled SASL on my Zookeeper, with below configuration.
> >
> > *requireClientAuthScheme=sasl*
> > *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> > vider*
> >
> > But still I see that, I am able to connect to zookeeper even without a
> > valid kerberos ticket.
> > Is there a way to restrict all client connections only with valid
> > kerberos ticket.
> >
> > Zookeeper Version - 3.4.8
> >
> >
> > Thanks,
> > Harish
RE: SASL for Client connections
Posted by "Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore)" <sh...@nokia.com>.
Hi Abe,
We are trying to understand the difference between setting
requireClientAuthScheme=sasl
and
requireClientAuthScheme=all
When a client does not have a valid Kerberos ticket, the behaviour is the same for either of the above settings. Whereas we'd've expected the client to not be able to connect when requireClientAuthScheme=sasl.
To restrict such connections, should we also set zookeeper.allowSaslFailedClients=false?
Regards
Shirsha
-----Original Message-----
From: Abraham Fine [mailto:afine@apache.org]
Sent: Friday, March 9, 2018 12:31 AM
To: user@zookeeper.apache.org
Subject: Re: SASL for Client connections
Hi Harish-
Currently there is no way to restrict ALL incoming client connections when using SASL.
In ZooKeeper, SASL works on a node by node basis.
Thanks,
Abe
On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> Hi,
>
> I have enabled SASL on my Zookeeper, with below configuration.
>
> *requireClientAuthScheme=sasl*
> *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> vider*
>
> But still I see that, I am able to connect to zookeeper even without a
> valid kerberos ticket.
> Is there a way to restrict all client connections only with valid
> kerberos ticket.
>
> Zookeeper Version - 3.4.8
>
>
> Thanks,
> Harish
Re: SASL for Client connections
Posted by Abraham Fine <af...@apache.org>.
Hi Harish-
Currently there is no way to restrict ALL incoming client connections when using SASL.
In ZooKeeper, SASL works on a node by node basis.
Thanks,
Abe
On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> Hi,
>
> I have enabled SASL on my Zookeeper, with below configuration.
>
> *requireClientAuthScheme=sasl*
> *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider*
>
> But still I see that, I am able to connect to zookeeper even without a
> valid kerberos ticket.
> Is there a way to restrict all client connections only with valid kerberos
> ticket.
>
> Zookeeper Version - 3.4.8
>
>
> Thanks,
> Harish