You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@curator.apache.org by Arpit Jain <ja...@gmail.com> on 2020/01/14 21:05:24 UTC
Curator client for SASL authentication
Hi,
I am using SASL Kerberos based authentication between Zookeeper and
Curator. Is below the correct way to create client with SASL authentication
?
CuratorFrameworkFactory.Builder builder =
CuratorFrameworkFactory.builder().connectString(coordinatorHosts
).retryPolicy(retryPolicy)
.connectionTimeoutMs(coordinatorConnectionTimeout
).sessionTimeoutMs(coordinatorSessionTimeout);
final CuratorFramework curatorFramework =
builder.authorization("sasl", "zkclient@EXAMPLE.COM"
.getBytes()).aclProvider(new ACLProvider() {
@Override
public List<ACL> getDefaultAcl() {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
@Override
public List<ACL> getAclForPath(String path) {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
}).build();
curatorFramework.start();
curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
"/MyNode");
Thanks
Re: Curator client for SASL authentication
Posted by Arpit Jain <ja...@gmail.com>.
I managed to create ACL with authenticated client principal using below
lines of code in client:
final CuratorFramework curatorFramework =
CuratorFrameworkFactory.newClient(coordinatorHosts,
coordinatorSessionTimeout, coordinatorConnectionTimeout, retryPolicy);
curatorFramework.create().creatingParentContainersIfNeeded().withACL(ZooDefs.Ids.
CREATOR_ALL_ACL).forPath("/mynode");
ZooDefs.Ids.CREATOR_ALL_ACL gives permissions to the client which is
authenticated.
To test this, I logged in using zkCli.sh on ZK server and ran getAcl
/mynode and able to browse the znodes and can see that node has all (CDRWA)
permission for authenticated uses. If I log in with a unauthenticated
principal, I am not able to see the znodes tree even though I manage to
connect to ZK server.
On Wed, Jan 15, 2020 at 8:03 AM Arpit Jain <ja...@gmail.com> wrote:
> I am passing a few properties to JVM as suggested by Zookeeper
> documentation for starting curator with SASL.
> However, I want to set Acl for authorization from curator but getting
> errors at the moment.
> I saw examples using digest md5 to set ACLs from Curator so I assume it
> should be similar for Kerberor based authentication.
>
>
> On Wed, Jan 15, 2020, 1:23 AM Jordan Zimmerman <jo...@jordanzimmerman.com>
> wrote:
>
>> That’s what I was thinking TBH
>>
>> ====================
>> Jordan Zimmerman
>>
>> On Jan 14, 2020, at 9:22 PM, Cameron McKenzie <mc...@gmail.com>
>> wrote:
>>
>>
>> I had a quick look, but I can't see anywhere in our examples / tests
>> where we use SASL. I've never tried to configure it, but there doesn't
>> really seem to be any Curator specific code to support it, presumably it's
>> just properties setting up stuff in the JVM?
>>
>> On Wed, Jan 15, 2020 at 8:37 AM Jordan Zimmerman <
>> jordan@jordanzimmerman.com> wrote:
>>
>>> I saw the conversation in the zookeeper list. I’m traveling at the
>>> moment. If someone else doesn’t get to this. I’ll check when I can.
>>>
>>> ====================
>>> Jordan Zimmerman
>>>
>>> On Jan 14, 2020, at 6:05 PM, Arpit Jain <ja...@gmail.com> wrote:
>>>
>>>
>>> Hi,
>>>
>>> I am using SASL Kerberos based authentication between Zookeeper and
>>> Curator. Is below the correct way to create client with SASL authentication
>>> ?
>>>
>>> CuratorFrameworkFactory.Builder builder =
>>>
>>> CuratorFrameworkFactory.builder().connectString(
>>> coordinatorHosts).retryPolicy(retryPolicy)
>>>
>>> .connectionTimeoutMs(coordinatorConnectionTimeout
>>> ).sessionTimeoutMs(coordinatorSessionTimeout);
>>>
>>>
>>> final CuratorFramework curatorFramework =
>>>
>>> builder.authorization("sasl", "zkclient@EXAMPLE.COM"
>>> .getBytes()).aclProvider(new ACLProvider() {
>>>
>>> @Override
>>>
>>> public List<ACL> getDefaultAcl() {
>>>
>>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>>
>>> }
>>>
>>>
>>> @Override
>>>
>>> public List<ACL> getAclForPath(String path) {
>>>
>>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>>
>>> }
>>>
>>> }).build();
>>>
>>> curatorFramework.start();
>>>
>>> curatorFramework.create().withMode(CreateMode.CONTAINER
>>> ).forPath("/MyNode");
>>>
>>>
>>> Thanks
>>>
>>>
Re: Curator client for SASL authentication
Posted by Arpit Jain <ja...@gmail.com>.
I am passing a few properties to JVM as suggested by Zookeeper
documentation for starting curator with SASL.
However, I want to set Acl for authorization from curator but getting
errors at the moment.
I saw examples using digest md5 to set ACLs from Curator so I assume it
should be similar for Kerberor based authentication.
On Wed, Jan 15, 2020, 1:23 AM Jordan Zimmerman <jo...@jordanzimmerman.com>
wrote:
> That’s what I was thinking TBH
>
> ====================
> Jordan Zimmerman
>
> On Jan 14, 2020, at 9:22 PM, Cameron McKenzie <mc...@gmail.com>
> wrote:
>
>
> I had a quick look, but I can't see anywhere in our examples / tests where
> we use SASL. I've never tried to configure it, but there doesn't really
> seem to be any Curator specific code to support it, presumably it's just
> properties setting up stuff in the JVM?
>
> On Wed, Jan 15, 2020 at 8:37 AM Jordan Zimmerman <
> jordan@jordanzimmerman.com> wrote:
>
>> I saw the conversation in the zookeeper list. I’m traveling at the
>> moment. If someone else doesn’t get to this. I’ll check when I can.
>>
>> ====================
>> Jordan Zimmerman
>>
>> On Jan 14, 2020, at 6:05 PM, Arpit Jain <ja...@gmail.com> wrote:
>>
>>
>> Hi,
>>
>> I am using SASL Kerberos based authentication between Zookeeper and
>> Curator. Is below the correct way to create client with SASL authentication
>> ?
>>
>> CuratorFrameworkFactory.Builder builder =
>>
>> CuratorFrameworkFactory.builder().connectString(
>> coordinatorHosts).retryPolicy(retryPolicy)
>>
>> .connectionTimeoutMs(coordinatorConnectionTimeout
>> ).sessionTimeoutMs(coordinatorSessionTimeout);
>>
>>
>> final CuratorFramework curatorFramework =
>>
>> builder.authorization("sasl", "zkclient@EXAMPLE.COM"
>> .getBytes()).aclProvider(new ACLProvider() {
>>
>> @Override
>>
>> public List<ACL> getDefaultAcl() {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>>
>> @Override
>>
>> public List<ACL> getAclForPath(String path) {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>> }).build();
>>
>> curatorFramework.start();
>>
>> curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
>> "/MyNode");
>>
>>
>> Thanks
>>
>>
Re: Curator client for SASL authentication
Posted by Jordan Zimmerman <jo...@jordanzimmerman.com>.
That’s what I was thinking TBH
====================
Jordan Zimmerman
> On Jan 14, 2020, at 9:22 PM, Cameron McKenzie <mc...@gmail.com> wrote:
>
>
> I had a quick look, but I can't see anywhere in our examples / tests where we use SASL. I've never tried to configure it, but there doesn't really seem to be any Curator specific code to support it, presumably it's just properties setting up stuff in the JVM?
>
>> On Wed, Jan 15, 2020 at 8:37 AM Jordan Zimmerman <jo...@jordanzimmerman.com> wrote:
>> I saw the conversation in the zookeeper list. I’m traveling at the moment. If someone else doesn’t get to this. I’ll check when I can.
>>
>> ====================
>> Jordan Zimmerman
>>
>>>> On Jan 14, 2020, at 6:05 PM, Arpit Jain <ja...@gmail.com> wrote:
>>>>
>>>
>>> Hi,
>>>
>>> I am using SASL Kerberos based authentication between Zookeeper and Curator. Is below the correct way to create client with SASL authentication ?
>>>
>>> CuratorFrameworkFactory.Builder builder =
>>> CuratorFrameworkFactory.builder().connectString(coordinatorHosts).retryPolicy(retryPolicy)
>>> .connectionTimeoutMs(coordinatorConnectionTimeout).sessionTimeoutMs(coordinatorSessionTimeout);
>>>
>>> final CuratorFramework curatorFramework =
>>> builder.authorization("sasl", "zkclient@EXAMPLE.COM".getBytes()).aclProvider(new ACLProvider() {
>>> @Override
>>> public List<ACL> getDefaultAcl() {
>>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>> }
>>>
>>> @Override
>>> public List<ACL> getAclForPath(String path) {
>>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>> }
>>> }).build();
>>> curatorFramework.start();
>>> curatorFramework.create().withMode(CreateMode.CONTAINER).forPath("/MyNode");
>>>
>>> Thanks
Re: Curator client for SASL authentication
Posted by Cameron McKenzie <mc...@gmail.com>.
I had a quick look, but I can't see anywhere in our examples / tests where
we use SASL. I've never tried to configure it, but there doesn't really
seem to be any Curator specific code to support it, presumably it's just
properties setting up stuff in the JVM?
On Wed, Jan 15, 2020 at 8:37 AM Jordan Zimmerman <jo...@jordanzimmerman.com>
wrote:
> I saw the conversation in the zookeeper list. I’m traveling at the moment.
> If someone else doesn’t get to this. I’ll check when I can.
>
> ====================
> Jordan Zimmerman
>
> On Jan 14, 2020, at 6:05 PM, Arpit Jain <ja...@gmail.com> wrote:
>
>
> Hi,
>
> I am using SASL Kerberos based authentication between Zookeeper and
> Curator. Is below the correct way to create client with SASL authentication
> ?
>
> CuratorFrameworkFactory.Builder builder =
>
> CuratorFrameworkFactory.builder().connectString(
> coordinatorHosts).retryPolicy(retryPolicy)
>
> .connectionTimeoutMs(coordinatorConnectionTimeout
> ).sessionTimeoutMs(coordinatorSessionTimeout);
>
>
> final CuratorFramework curatorFramework =
>
> builder.authorization("sasl", "zkclient@EXAMPLE.COM"
> .getBytes()).aclProvider(new ACLProvider() {
>
> @Override
>
> public List<ACL> getDefaultAcl() {
>
> return ZooDefs.Ids.CREATOR_ALL_ACL;
>
> }
>
>
> @Override
>
> public List<ACL> getAclForPath(String path) {
>
> return ZooDefs.Ids.CREATOR_ALL_ACL;
>
> }
>
> }).build();
>
> curatorFramework.start();
>
> curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
> "/MyNode");
>
>
> Thanks
>
>
Re: Curator client for SASL authentication
Posted by Arpit Jain <ja...@gmail.com>.
Just to add something more. I am observing a small difference in client
side logs when using Curator and zkCLi.sh script (from ZK server itself).
With zkCli.sh, I am seeing below extra lines which are missing in Curator
logs.
*2020-01-14 21:17:12,168 [myid:localhost:2181] - INFO
[main-SendThread(localhost:2181):Login@302] - Client successfully logged
in.2020-01-14 21:17:12,171 [myid:localhost:2181] - INFO
[Thread-1:Login$1@135] - TGT refresh thread started.2020-01-14
21:17:12,176 [myid:localhost:2181] - INFO [Thread-1:Login@320] - TGT valid
starting at: Tue Jan 14 21:17:12 UTC 20202020-01-14 21:17:12,176
[myid:localhost:2181] - INFO [Thread-1:Login@321] - TGT expires:
Wed Jan 15 09:17:12 UTC 20202020-01-14 21:17:12,177
[myid:localhost:2181] - INFO [Thread-1:Login$1@193] - TGT refresh sleeping
until: Wed Jan 15 07:06:41 UTC 20202020-01-14 21:17:12,181
[myid:localhost:2181] - INFO
[main-SendThread(localhost:2181):SecurityUtils$1@124] - Client will use
GSSAPI as SASL mechanism.2020-01-14 21:17:12,207 [myid:localhost:2181] -
INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1112] -
Opening socket connection to server localhost/127.0.0.1:2181
<http://127.0.0.1:2181>. Will attempt to SASL-authenticate using Login
Context section 'Client'2020-01-14 21:17:12,227 [myid:localhost:2181] -
INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@959] - Socket
connection established, initiating session, client: /127.0.0.1:46322
<http://127.0.0.1:46322>, server: localhost/127.0.0.1:2181
<http://127.0.0.1:2181>2020-01-14 21:17:12,247 [myid:localhost:2181] - INFO
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1394] - Session
establishment complete on server localhost/127.0.0.1:2181
<http://127.0.0.1:2181>, sessionid = 0x100627fcb82001a, negotiated timeout
= 30000*
On the ZK server logs, everything is same in both cases (Curator and
zkCli.sh) and it says client successfully authenticated. See below log
statements.
*Krb5Context.wrap: data=[01 01 00 00 ]Krb5Context.wrap: token=[05 04 01 ff
00 0c 00 00 00 00 00 00 04 f3 99 8f 01 01 00 00 46 b2 b1 a4 1b 07 8a e9 94
a7 fc 61 ]Krb5Context.unwrap: token=[05 04 00 ff 00 0c 00 00 00 00 00 00 04
f3 99 8f 01 01 00 00 7a 6b 63 6c 69 65 6e 74 40 45 58 41 4d 50 4c 45 2e 43
4f 4d 35 8a 8a ad d4 7e 5d f3 9a 0a 4c ce ]Krb5Context.unwrap: data=[01 01
00 00 7a 6b 63 6c 69 65 6e 74 40 45 58 41 4d 50 4c 45 2e 43 4f 4d
]2020-01-14 22:03:49,339 [myid:1] - INFO
[NIOWorkerThread-8:SaslServerCallbackHandler@120] - Successfully
authenticated client: authenticationID=zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>; authorizationID=zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>.2020-01-14 22:03:49,340 [myid:1] - INFO
[NIOWorkerThread-8:SaslServerCallbackHandler@136] - Setting authorizedID:
zkclient@EXAMPLE.COM <zk...@EXAMPLE.COM>2020-01-14 22:03:49,340 [myid:1]
- INFO [NIOWorkerThread-8:ZooKeeperServer@1170] - adding SASL
authorization for authorizationID: zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>*
Does it makes any difference as I am not able to create ACL with SASL auth
scheme when using Curator ?
On Tue, Jan 14, 2020 at 9:37 PM Jordan Zimmerman <jo...@jordanzimmerman.com>
wrote:
> I saw the conversation in the zookeeper list. I’m traveling at the moment.
> If someone else doesn’t get to this. I’ll check when I can.
>
> ====================
> Jordan Zimmerman
>
> On Jan 14, 2020, at 6:05 PM, Arpit Jain <ja...@gmail.com> wrote:
>
>
> Hi,
>
> I am using SASL Kerberos based authentication between Zookeeper and
> Curator. Is below the correct way to create client with SASL authentication
> ?
>
> CuratorFrameworkFactory.Builder builder =
>
> CuratorFrameworkFactory.builder().connectString(
> coordinatorHosts).retryPolicy(retryPolicy)
>
> .connectionTimeoutMs(coordinatorConnectionTimeout
> ).sessionTimeoutMs(coordinatorSessionTimeout);
>
>
> final CuratorFramework curatorFramework =
>
> builder.authorization("sasl", "zkclient@EXAMPLE.COM"
> .getBytes()).aclProvider(new ACLProvider() {
>
> @Override
>
> public List<ACL> getDefaultAcl() {
>
> return ZooDefs.Ids.CREATOR_ALL_ACL;
>
> }
>
>
> @Override
>
> public List<ACL> getAclForPath(String path) {
>
> return ZooDefs.Ids.CREATOR_ALL_ACL;
>
> }
>
> }).build();
>
> curatorFramework.start();
>
> curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
> "/MyNode");
>
>
> Thanks
>
>
Re: Curator client for SASL authentication
Posted by Jordan Zimmerman <jo...@jordanzimmerman.com>.
I saw the conversation in the zookeeper list. I’m traveling at the moment. If someone else doesn’t get to this. I’ll check when I can.
====================
Jordan Zimmerman
> On Jan 14, 2020, at 6:05 PM, Arpit Jain <ja...@gmail.com> wrote:
>
>
> Hi,
>
> I am using SASL Kerberos based authentication between Zookeeper and Curator. Is below the correct way to create client with SASL authentication ?
>
> CuratorFrameworkFactory.Builder builder =
> CuratorFrameworkFactory.builder().connectString(coordinatorHosts).retryPolicy(retryPolicy)
> .connectionTimeoutMs(coordinatorConnectionTimeout).sessionTimeoutMs(coordinatorSessionTimeout);
>
> final CuratorFramework curatorFramework =
> builder.authorization("sasl", "zkclient@EXAMPLE.COM".getBytes()).aclProvider(new ACLProvider() {
> @Override
> public List<ACL> getDefaultAcl() {
> return ZooDefs.Ids.CREATOR_ALL_ACL;
> }
>
> @Override
> public List<ACL> getAclForPath(String path) {
> return ZooDefs.Ids.CREATOR_ALL_ACL;
> }
> }).build();
> curatorFramework.start();
> curatorFramework.create().withMode(CreateMode.CONTAINER).forPath("/MyNode");
>
> Thanks