You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Arpit Jain <ja...@gmail.com> on 2020/01/14 15:15:28 UTC
Zookeeper ACL creation using SASL Kerberos authorization
ZK version 3.5.6
Curator version: 4.2.0
I am able to authenticate client principal on ZK sever but it fails while
setting ACL
Logs on Zookeeper server side:
*2020-01-14 15:05:27,177 [myid:1] - INFO
[NIOWorkerThread-2:SaslServerCallbackHandler@120] - Successfully
authenticated client: authenticationID=zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>; authorizationID=zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>.2020-01-14 15:05:27,178 [myid:1] - INFO
[NIOWorkerThread-2:SaslServerCallbackHandler@136] - Setting authorizedID:
zkclient@EXAMPLE.COM <zk...@EXAMPLE.COM>2020-01-14 15:05:27,178 [myid:1]
- INFO [NIOWorkerThread-2:ZooKeeperServer@1170] - adding SASL
authorization for authorizationID: zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>2020-01-14 15:05:27,179 [myid:1] - INFO
[NIOWorkerThread-4:ZooKeeperServer@1095] - got auth packet
/172.30.0.6:33830 <http://172.30.0.6:33830>2020-01-14 15:05:27,180 [myid:1]
- WARN [NIOWorkerThread-4:ZooKeeperServer@1123] - Authentication failed
for scheme: sasl*
Logs on client side:
*2020-01-14 15:05:27.183+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: ]
[S: ] [P: platform1] [T: main-EventThread] Authentication failed2020-01-14
15:05:27.184+0000 [L: ERROR] [O: o.a.c.ConnectionState] [I: ] [U: ] [S: ]
[P: platform1] [T: main-EventThread] Authentication failed2020-01-14
15:05:27.298+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S:
] [P: platform1] [T: main] Failed starting CuratorFramework client:
KeeperErrorCode = AuthFailed for /MyNode2020-01-14 15:05:27.303+0000 [L:
ERROR] [O: c.t.s.c.ZookeeperHelper] [I: ] [U: SuperUser] [S: ] [P:
platform1] [T: main] Failed starting CuratorFramework client:
KeeperErrorCode = AuthFailed for
/MyNodeorg.apache.zookeeper.KeeperException$AuthFailedException:
KeeperErrorCode = AuthFailed for /MyNode*
This is how I am creating client:
CuratorFrameworkFactory.Builder builder =
CuratorFrameworkFactory.builder().connectString(coordinatorHosts
).retryPolicy(retryPolicy)
.connectionTimeoutMs(coordinatorConnectionTimeout
).sessionTimeoutMs(coordinatorSessionTimeout);
final CuratorFramework curatorFramework =
builder.authorization("sasl", "zkclient@EXAMPLE.COM"
.getBytes()).aclProvider(new ACLProvider() {
@Override
public List<ACL> getDefaultAcl() {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
@Override
public List<ACL> getAclForPath(String path) {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
}).build();
curatorFramework.start();
curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
"/MyNode");
I believe I am successfully authenticated but something is wrong with
creating ACL.
Thanks