You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Rakesh R (JIRA)" <ji...@apache.org> on 2014/09/19 17:33:33 UTC
[jira] [Commented] (ZOOKEEPER-2036) Client which is not authorized
able to access the Secure Data which is created by the Secure Client
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14140745#comment-14140745 ]
Rakesh R commented on ZOOKEEPER-2036:
-------------------------------------
>From the JIRA description it is setting the ACLs wrongly.
{code}
[zk: localhost:2181(CONNECTED) 1] create -s /tmp-seq 'sd:er:'
Created /tmp-seq0000000003
[zk: localhost:2181(CONNECTED) 2] create -s /tmp-seq 'sd:er:'
Created /tmp-seq0000000004
{code}
When creating the znode, it needs to pass valid ACL with the format - "scheme:id:perm"
+Example:+ create -s /tmp-seq "data" "sasl:zookeeper/hadoop@HADOOP.COM:cdrwa"
Please test with the above changes and let me know any issues.
Also, please refer [SASL wiki pages|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL] for more info.
> Client which is not authorized able to access the Secure Data which is created by the Secure Client
> ---------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-2036
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2036
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.4.5
> Reporter: Brahma Reddy Battula
> Priority: Blocker
>
> *{color:blue}Scenario:{color}*
> Started the Secure ZK Cluster.
> Logged with Secure ZK Client(by passing valid jaas.conf) and created the Znodes
> Now logged in to same secure cluster using unsecure ZKClient (without jaas.conf) to same Cluster and able to access the data which is created by the Secured Client..
> *{color:blue}Secured Client{color}:(which is created the Znodes)*
> 2014-09-15 13:40:56,288 [myid:] - INFO [main-SendThread(localhost:2181):ZooKeeperSaslClient$1@285] - Client will use GSSAPI as SASL mechanism.
> 2014-09-15 13:40:56,296 [myid:] - INFO [Thread-1:Login@301] - TGT valid starting at: Mon Sep 15 13:40:56 IST 2014
> 2014-09-15 13:40:56,296 [myid:] - INFO [Thread-1:Login@302] - TGT expires: Tue Sep 16 13:40:56 IST 2014
> 2014-09-15 13:40:56,296 [myid:] - INFO [Thread-1:Login$1@181] - TGT refresh sleeping until: Tue Sep 16 09:36:04 IST 2014
> 2014-09-15 13:40:56,302 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1000] - Opening socket connection to server localhost/0:0:0:0:0:0:0:1:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
> 2014-09-15 13:40:56,308 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@855] - Socket connection established to localhost/0:0:0:0:0:0:0:1:2181, initiating session
> 2014-09-15 13:40:56,344 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1260] - Session establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid = 0x1486856657e0016, negotiated timeout = 30000
> WATCHER::
> WatchedEvent state:SyncConnected type:None path:null
> WATCHER::
> WatchedEvent state: *{color:red}SaslAuthenticated{color}* type:None path:null
> [zk: localhost:2181(CONNECTED) 1] create -s /tmp-seq 'sd:er:'
> Created /tmp-seq0000000003
> [zk: localhost:2181(CONNECTED) 2] create -s /tmp-seq 'sd:er:'
> Created /tmp-seq0000000004
> [zk: localhost:2181(CONNECTED) 0] ls /
> [tmp-seq0000000004, tmp-seq0000000003, hadoop, hadoop-ha, tmp-seq0000000002, zookeeper]
> *{color:blue}UnSecured Client{color}:(which is Accesing Znodes)*
> Welcome to ZooKeeper!
> 2014-09-15 13:00:30,440 [myid:] - WARN [main-SendThread(localhost:2181):ClientCnxn$SendThread@982] - SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/home/****/zookeeper/conf/jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
> 014-09-15 13:00:30,441 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1000] - Opening socket connection to server localhost/127.0.0.1:2181
> WatchedEvent state: *{color:red}AuthFailed{color}* type:None path:null
> JLine support is enabled
> 2014-09-15 13:00:30,451 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@855] - Socket connection established to localhost/127.0.0.1:2181, initiating session
> [zk: localhost:2181(CONNECTING) 0] 2014-09-15 13:00:30,488 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1260] - Session establishment complete on server localhost/127.0.0.1:2181, sessionid = 0x348685662250005, negotiated timeout = 30000
> WATCHER::
> WatchedEvent state:SyncConnected type:None path:null
> [zk: localhost:2181(CONNECTED) 0] ls /
> [tmp-seq0000000004, tmp-seq0000000003, hadoop, hadoop-ha, tmp-seq0000000002, zookeeper]
> [zk: localhost:2181(CONNECTED) 1] get /tmp-seq000000000
> tmp-seq0000000004 tmp-seq0000000003 tmp-seq0000000002
> [zk: localhost:2181(CONNECTED) 1] get /tmp-seq0000000002
> ''
> cZxid = 0x100000040
> ctime = Mon Sep 15 12:51:50 IST 2014
> mZxid = 0x100000040
> mtime = Mon Sep 15 12:51:50 IST 2014
> pZxid = 0x100000040
> cversion = 0
> dataVersion = 0
> aclVersion = 0
> ephemeralOwner = 0x0
> dataLength = 2
> numChildren = 0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)