You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@curator.apache.org by Philip Zampino <pz...@gmail.com> on 2017/10/10 21:02:05 UTC
Configuring security for TestingCluster?
I'm wondering if it's possible to configure any kind of security (i.e.,
authentication) to a (curator-test) TestingCluster.
If so, is it documented anywhere?
Thanks,
Phil
Re: Configuring security for TestingCluster?
Posted by Philip Zampino <pz...@gmail.com>.
I can accomplish my goal using a jaas config file, which is fine for test
code, but I would prefer to avoid writing credentials to disk in real code.
Map<String, Object> customInstanceSpecProps = new HashMap<>();
customInstanceSpecProps.put("authProvider.1",
"org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
customInstanceSpecProps.put("requireClientAuthScheme", "sasl");
File saslConfFile = new File(dataParent, "jaas.conf");
FileWriter fwriter = new FileWriter(saslConfFile);
fwriter.write( "Server {\n" +
"
org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
" user_super=\"test\";\n" +
"};\n" +
"Client {\n" +
"
org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
" username=\"super\"\n" +
" password=\"test\";\n" +
"};\n");
fwriter.close();
System.setProperty("java.security.auth.login.config",
saslConfFile.getAbsolutePath());
// Create the test cluster
List<InstanceSpec> instanceSpecs = new ArrayList<>();
for (int i = 0 ; i < 3 ; i++) {
instanceSpecs.add(new InstanceSpec(null, -1, -1, -1, false, i,
-1, -1, customInstanceSpecProps));
}
TestingCluster zkCluster = new TestingCluster(instanceSpecs);
zkCluster.start();
client = CuratorFrameworkFactory.builder()
.connectString(zkCluster.getConnectString())
.retryPolicy(new
ExponentialBackoffRetry(100, 3))
.build();
List<ACL> acls = new ArrayList<>();
acls.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", "super")));
client.create().creatingParentsIfNeeded().withACL(acls).forPath("/test/mynode");
This all works well, and the nodes are accessible to my clients.
I've tried removing the Client section from the jaas.conf file, using the
client build authorization instead:
client = CuratorFrameworkFactory.builder()
.connectString(zkCluster.getConnectString())
.retryPolicy(new
ExponentialBackoffRetry(100, 3))
.authorization("digest",
"super:test".getBytes())
.build();
If I specify "sasl" scheme here, then authentication fails when creating
the node.
If I specify "digest", then the creation is permitted, but a subsequent
client with the same auth config fails with "NoAuth".
So, I'm a lot closer than I was yesterday, but I'm still missing something.
Any help is appreciated.
Thanks,
Phil
On Tue, Oct 10, 2017 at 9:46 PM, Philip Zampino <pz...@gmail.com> wrote:
> I've searched the Curator codebase, and didn't find any examples. I guess
> I'll educate myself about securing ZK in-general, and try to figure it out.
>
> On Tue, Oct 10, 2017 at 7:17 PM, Cameron McKenzie <ca...@apache.org>
> wrote:
>
>> I haven't tried it, and I don't think it's done anywhere specifically in
>> the Curator codebase, but given that the TestingCluster and associated
>> classes are just wrappers around the underlying Zookeeper server, I can't
>> see why it couldn't be done.
>>
>> On Wed, Oct 11, 2017 at 8:02 AM, Philip Zampino <pz...@gmail.com>
>> wrote:
>>
>>> I'm wondering if it's possible to configure any kind of security (i.e.,
>>> authentication) to a (curator-test) TestingCluster.
>>>
>>> If so, is it documented anywhere?
>>>
>>> Thanks,
>>> Phil
>>>
>>
>>
>
Re: Configuring security for TestingCluster?
Posted by Philip Zampino <pz...@gmail.com>.
I've searched the Curator codebase, and didn't find any examples. I guess
I'll educate myself about securing ZK in-general, and try to figure it out.
On Tue, Oct 10, 2017 at 7:17 PM, Cameron McKenzie <ca...@apache.org>
wrote:
> I haven't tried it, and I don't think it's done anywhere specifically in
> the Curator codebase, but given that the TestingCluster and associated
> classes are just wrappers around the underlying Zookeeper server, I can't
> see why it couldn't be done.
>
> On Wed, Oct 11, 2017 at 8:02 AM, Philip Zampino <pz...@gmail.com>
> wrote:
>
>> I'm wondering if it's possible to configure any kind of security (i.e.,
>> authentication) to a (curator-test) TestingCluster.
>>
>> If so, is it documented anywhere?
>>
>> Thanks,
>> Phil
>>
>
>
Re: Configuring security for TestingCluster?
Posted by Cameron McKenzie <ca...@apache.org>.
I haven't tried it, and I don't think it's done anywhere specifically in
the Curator codebase, but given that the TestingCluster and associated
classes are just wrappers around the underlying Zookeeper server, I can't
see why it couldn't be done.
On Wed, Oct 11, 2017 at 8:02 AM, Philip Zampino <pz...@gmail.com> wrote:
> I'm wondering if it's possible to configure any kind of security (i.e.,
> authentication) to a (curator-test) TestingCluster.
>
> If so, is it documented anywhere?
>
> Thanks,
> Phil
>