You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Andor Molnar <an...@apache.org> on 2020/01/06 12:52:02 UTC
Re: Zookeeper server and client authentication
Are we going to release client authentication enforcement in 3.6?
I can’t remember a patch which implements it.
Andor
> On 2019. Dec 30., at 15:17, Enrico Olivelli <eo...@gmail.com> wrote:
>
> Il lun 30 dic 2019, 14:55 shrikant kalani <sh...@gmail.com> ha
> scritto:
>
>> Enrico,
>>
>> Is 3.6 going to be available soon ? Within 1 month ?
>>
>
> I can't make promises.
> It is up to the community.
> I can say we are actively preparing the release.
> You will see, hopefully next week, a VOTE email thread on
> dev@zookeeper.apache.org mailing list.
>
> If you try it and report that it is working for you, this will be a good
> contribution to the community
>
> Cheers
> Enrico
>
>>
>> Thanks
>> Srikant Kalani
>>
>> Sent from my iPhone
>>
>>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eo...@gmail.com> wrote:
>>>
>>> If you try to use wrong credentials, corrupted keytab...you won't be
>> able
>>> to read/write.
>>> Connection maybe is allowed
>>>
>>> Enrico
>>>
>>> Il lun 30 dic 2019, 14:19 Arpit Jain <ja...@gmail.com> ha scritto:
>>>
>>>> Just to confirm the settings I have in my environment:
>>>>
>>>> 1. On ZK side, my JAAS file looks like this:
>>>> Server {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> useKeyTab=true
>>>> keyTab="/conf/zoo1.keytab"
>>>> storeKey=true
>>>> useTicketCache=false
>>>> principal="zookeeper/zoo1@EXAMPLE.COM";
>>>> };
>>>> The principal "*zookeeper/zoo1@EXAMPLE.COM <zo...@EXAMPLE.COM>"* has
>> been
>>>> created in Kerberos server running locally. I am able to start ZK with
>> this
>>>> principal and I can see ticket exchange between ZK and Kerberos for this
>>>> principal.
>>>>
>>>> 2. On client (Curator) side, JAAS file looks like below. Principal
>>>> "*zkclient@EXAMPLE.COM
>>>> <zk...@EXAMPLE.COM>"* is present in Kerberos server. The curator is
>>>> able
>>>> to connect properly to ZK (with or without principal) even though SASL
>> is
>>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
>>>> authentication.
>>>> Client {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> useKeyTab=true
>>>> keyTab="/tmp/zkclient.keytab"
>>>> storeKey=true
>>>> useTicketCache=false
>>>> principal="zkclient@EXAMPLE.COM";
>>>> };
>>>>
>>>> Just want to make sure my settings are correct.
>>>>
>>>> Thanks
>>>>
>>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eo...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Arpit,
>>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>>>>>
>>>>> I hope we are able to release 3.6.0 within a couple of weeks.
>>>>>
>>>>> If you have time you can build from branch-3.6 and run the server
>>>> enabling
>>>>> that feature tha you are pointing to.
>>>>> It is a server side change only so you can use 3.5 in your application
>>>>>
>>>>>
>>>>> Enrico
>>>>>
>>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <sh...@gmail.com>
>> ha
>>>>> scritto:
>>>>>
>>>>>> Couple of things which you can check -
>>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then you
>>>>>> need to set Zookeeper.sasl.client.username
>>>>>> 2) set java.security.auth.login.config
>>>>>>
>>>>>> And I also faced the same issue that there is no strict enforcement to
>>>>>> allow only authenticated client. Unless someone is aware of the way I
>>>>> doubt
>>>>>> we may need to wait for 3.6
>>>>>>
>>>>>> Thanks
>>>>>> Srikant
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <ja...@gmail.com>
>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using
>>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I
>>>> don't
>>>>>> see
>>>>>>> any authentication happening between Zookeeper client (curator) and
>>>> ZK
>>>>>>> server. I have put the following setting in zoo.cfg and followed this
>>>>>> guide
>>>>>>>
>>>>>>
>>>>>
>>>>
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
>>>>>>> .
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
>>>>>>> requireClientAuthScheme=sasl
>>>>>>>
>>>>>>> What additional setting I need to provide so that only authenticated
>>>>>>> clients (for which principals are present in Kerberos server) can
>>>>> connect
>>>>>>> to ZK server ?
>>>>>>> I also found this link
>>>>>>> https://github.com/apache/zookeeper/pull/118/commits which
>>>>>>> mentions that it will be strict only from ZK 3.6 onwards and
>>>> currently
>>>>> ZK
>>>>>>> does not enforce it even if we have the configuration.
>>>>>>>
>>>>>>> Thanks
>>>>>>
>>>>>
>>>>
>>
Re: Zookeeper server and client authentication
Posted by Andor Molnar <an...@apache.org>.
Thanks, great stuff! I’ve already forgotten about it.
So, this is the approach of enforcing clients to authenticate during connection. I reckon another one which would let clients postponing authentication with ‘addAuth’ command:
https://issues.apache.org/jira/browse/ZOOKEEPER-2462
But that’s still open. Not a problem though, 3.6.0 is already super cool with this.
Andor
> On 2020. Jan 6., at 16:09, Enrico Olivelli <eo...@gmail.com> wrote:
>
> Take a look to
> https://issues.apache.org/jira/browse/ZOOKEEPER-1634
>
> Enrico
>
> Il lun 6 gen 2020, 13:52 Andor Molnar <an...@apache.org> ha scritto:
>
>> Are we going to release client authentication enforcement in 3.6?
>> I can’t remember a patch which implements it.
>>
>> Andor
>>
>>
>>
>>
>>> On 2019. Dec 30., at 15:17, Enrico Olivelli <eo...@gmail.com> wrote:
>>>
>>> Il lun 30 dic 2019, 14:55 shrikant kalani <sh...@gmail.com> ha
>>> scritto:
>>>
>>>> Enrico,
>>>>
>>>> Is 3.6 going to be available soon ? Within 1 month ?
>>>>
>>>
>>> I can't make promises.
>>> It is up to the community.
>>> I can say we are actively preparing the release.
>>> You will see, hopefully next week, a VOTE email thread on
>>> dev@zookeeper.apache.org mailing list.
>>>
>>> If you try it and report that it is working for you, this will be a good
>>> contribution to the community
>>>
>>> Cheers
>>> Enrico
>>>
>>>>
>>>> Thanks
>>>> Srikant Kalani
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eo...@gmail.com>
>> wrote:
>>>>>
>>>>> If you try to use wrong credentials, corrupted keytab...you won't be
>>>> able
>>>>> to read/write.
>>>>> Connection maybe is allowed
>>>>>
>>>>> Enrico
>>>>>
>>>>> Il lun 30 dic 2019, 14:19 Arpit Jain <ja...@gmail.com> ha
>> scritto:
>>>>>
>>>>>> Just to confirm the settings I have in my environment:
>>>>>>
>>>>>> 1. On ZK side, my JAAS file looks like this:
>>>>>> Server {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> useKeyTab=true
>>>>>> keyTab="/conf/zoo1.keytab"
>>>>>> storeKey=true
>>>>>> useTicketCache=false
>>>>>> principal="zookeeper/zoo1@EXAMPLE.COM";
>>>>>> };
>>>>>> The principal "*zookeeper/zoo1@EXAMPLE.COM <zo...@EXAMPLE.COM>"* has
>>>> been
>>>>>> created in Kerberos server running locally. I am able to start ZK with
>>>> this
>>>>>> principal and I can see ticket exchange between ZK and Kerberos for
>> this
>>>>>> principal.
>>>>>>
>>>>>> 2. On client (Curator) side, JAAS file looks like below. Principal
>>>>>> "*zkclient@EXAMPLE.COM
>>>>>> <zk...@EXAMPLE.COM>"* is present in Kerberos server. The curator
>> is
>>>>>> able
>>>>>> to connect properly to ZK (with or without principal) even though SASL
>>>> is
>>>>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
>>>>>> authentication.
>>>>>> Client {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> useKeyTab=true
>>>>>> keyTab="/tmp/zkclient.keytab"
>>>>>> storeKey=true
>>>>>> useTicketCache=false
>>>>>> principal="zkclient@EXAMPLE.COM";
>>>>>> };
>>>>>>
>>>>>> Just want to make sure my settings are correct.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <
>> eolivelli@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Arpit,
>>>>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>>>>>>>
>>>>>>> I hope we are able to release 3.6.0 within a couple of weeks.
>>>>>>>
>>>>>>> If you have time you can build from branch-3.6 and run the server
>>>>>> enabling
>>>>>>> that feature tha you are pointing to.
>>>>>>> It is a server side change only so you can use 3.5 in your
>> application
>>>>>>>
>>>>>>>
>>>>>>> Enrico
>>>>>>>
>>>>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <sh...@gmail.com>
>>>> ha
>>>>>>> scritto:
>>>>>>>
>>>>>>>> Couple of things which you can check -
>>>>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then
>> you
>>>>>>>> need to set Zookeeper.sasl.client.username
>>>>>>>> 2) set java.security.auth.login.config
>>>>>>>>
>>>>>>>> And I also faced the same issue that there is no strict enforcement
>> to
>>>>>>>> allow only authenticated client. Unless someone is aware of the way
>> I
>>>>>>> doubt
>>>>>>>> we may need to wait for 3.6
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Srikant
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <ja...@gmail.com>
>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using
>>>>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I
>>>>>> don't
>>>>>>>> see
>>>>>>>>> any authentication happening between Zookeeper client (curator) and
>>>>>> ZK
>>>>>>>>> server. I have put the following setting in zoo.cfg and followed
>> this
>>>>>>>> guide
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
>>>>>>>>> requireClientAuthScheme=sasl
>>>>>>>>>
>>>>>>>>> What additional setting I need to provide so that only
>> authenticated
>>>>>>>>> clients (for which principals are present in Kerberos server) can
>>>>>>> connect
>>>>>>>>> to ZK server ?
>>>>>>>>> I also found this link
>>>>>>>>> https://github.com/apache/zookeeper/pull/118/commits which
>>>>>>>>> mentions that it will be strict only from ZK 3.6 onwards and
>>>>>> currently
>>>>>>> ZK
>>>>>>>>> does not enforce it even if we have the configuration.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>
>>
Re: Zookeeper server and client authentication
Posted by Enrico Olivelli <eo...@gmail.com>.
Take a look to
https://issues.apache.org/jira/browse/ZOOKEEPER-1634
Enrico
Il lun 6 gen 2020, 13:52 Andor Molnar <an...@apache.org> ha scritto:
> Are we going to release client authentication enforcement in 3.6?
> I can’t remember a patch which implements it.
>
> Andor
>
>
>
>
> > On 2019. Dec 30., at 15:17, Enrico Olivelli <eo...@gmail.com> wrote:
> >
> > Il lun 30 dic 2019, 14:55 shrikant kalani <sh...@gmail.com> ha
> > scritto:
> >
> >> Enrico,
> >>
> >> Is 3.6 going to be available soon ? Within 1 month ?
> >>
> >
> > I can't make promises.
> > It is up to the community.
> > I can say we are actively preparing the release.
> > You will see, hopefully next week, a VOTE email thread on
> > dev@zookeeper.apache.org mailing list.
> >
> > If you try it and report that it is working for you, this will be a good
> > contribution to the community
> >
> > Cheers
> > Enrico
> >
> >>
> >> Thanks
> >> Srikant Kalani
> >>
> >> Sent from my iPhone
> >>
> >>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eo...@gmail.com>
> wrote:
> >>>
> >>> If you try to use wrong credentials, corrupted keytab...you won't be
> >> able
> >>> to read/write.
> >>> Connection maybe is allowed
> >>>
> >>> Enrico
> >>>
> >>> Il lun 30 dic 2019, 14:19 Arpit Jain <ja...@gmail.com> ha
> scritto:
> >>>
> >>>> Just to confirm the settings I have in my environment:
> >>>>
> >>>> 1. On ZK side, my JAAS file looks like this:
> >>>> Server {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> useKeyTab=true
> >>>> keyTab="/conf/zoo1.keytab"
> >>>> storeKey=true
> >>>> useTicketCache=false
> >>>> principal="zookeeper/zoo1@EXAMPLE.COM";
> >>>> };
> >>>> The principal "*zookeeper/zoo1@EXAMPLE.COM <zo...@EXAMPLE.COM>"* has
> >> been
> >>>> created in Kerberos server running locally. I am able to start ZK with
> >> this
> >>>> principal and I can see ticket exchange between ZK and Kerberos for
> this
> >>>> principal.
> >>>>
> >>>> 2. On client (Curator) side, JAAS file looks like below. Principal
> >>>> "*zkclient@EXAMPLE.COM
> >>>> <zk...@EXAMPLE.COM>"* is present in Kerberos server. The curator
> is
> >>>> able
> >>>> to connect properly to ZK (with or without principal) even though SASL
> >> is
> >>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
> >>>> authentication.
> >>>> Client {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> useKeyTab=true
> >>>> keyTab="/tmp/zkclient.keytab"
> >>>> storeKey=true
> >>>> useTicketCache=false
> >>>> principal="zkclient@EXAMPLE.COM";
> >>>> };
> >>>>
> >>>> Just want to make sure my settings are correct.
> >>>>
> >>>> Thanks
> >>>>
> >>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <
> eolivelli@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>> Arpit,
> >>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
> >>>>>
> >>>>> I hope we are able to release 3.6.0 within a couple of weeks.
> >>>>>
> >>>>> If you have time you can build from branch-3.6 and run the server
> >>>> enabling
> >>>>> that feature tha you are pointing to.
> >>>>> It is a server side change only so you can use 3.5 in your
> application
> >>>>>
> >>>>>
> >>>>> Enrico
> >>>>>
> >>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <sh...@gmail.com>
> >> ha
> >>>>> scritto:
> >>>>>
> >>>>>> Couple of things which you can check -
> >>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then
> you
> >>>>>> need to set Zookeeper.sasl.client.username
> >>>>>> 2) set java.security.auth.login.config
> >>>>>>
> >>>>>> And I also faced the same issue that there is no strict enforcement
> to
> >>>>>> allow only authenticated client. Unless someone is aware of the way
> I
> >>>>> doubt
> >>>>>> we may need to wait for 3.6
> >>>>>>
> >>>>>> Thanks
> >>>>>> Srikant
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <ja...@gmail.com>
> >>>> wrote:
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using
> >>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I
> >>>> don't
> >>>>>> see
> >>>>>>> any authentication happening between Zookeeper client (curator) and
> >>>> ZK
> >>>>>>> server. I have put the following setting in zoo.cfg and followed
> this
> >>>>>> guide
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> >>>>>>> .
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> >>>>>>> requireClientAuthScheme=sasl
> >>>>>>>
> >>>>>>> What additional setting I need to provide so that only
> authenticated
> >>>>>>> clients (for which principals are present in Kerberos server) can
> >>>>> connect
> >>>>>>> to ZK server ?
> >>>>>>> I also found this link
> >>>>>>> https://github.com/apache/zookeeper/pull/118/commits which
> >>>>>>> mentions that it will be strict only from ZK 3.6 onwards and
> >>>> currently
> >>>>> ZK
> >>>>>>> does not enforce it even if we have the configuration.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>
> >>>>>
> >>>>
> >>
>
>