You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Arpit Jain <ja...@gmail.com> on 2020/01/14 15:15:28 UTC

Zookeeper ACL creation using SASL Kerberos authorization

ZK version 3.5.6
Curator version: 4.2.0

I am able to authenticate client principal on ZK sever but it fails while
setting ACL
Logs on Zookeeper server side:





*2020-01-14 15:05:27,177 [myid:1] - INFO
 [NIOWorkerThread-2:SaslServerCallbackHandler@120] - Successfully
authenticated client: authenticationID=zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>;  authorizationID=zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>.2020-01-14 15:05:27,178 [myid:1] - INFO
 [NIOWorkerThread-2:SaslServerCallbackHandler@136] - Setting authorizedID:
zkclient@EXAMPLE.COM <zk...@EXAMPLE.COM>2020-01-14 15:05:27,178 [myid:1]
- INFO  [NIOWorkerThread-2:ZooKeeperServer@1170] - adding SASL
authorization for authorizationID: zkclient@EXAMPLE.COM
<zk...@EXAMPLE.COM>2020-01-14 15:05:27,179 [myid:1] - INFO
 [NIOWorkerThread-4:ZooKeeperServer@1095] - got auth packet
/172.30.0.6:33830 <http://172.30.0.6:33830>2020-01-14 15:05:27,180 [myid:1]
- WARN  [NIOWorkerThread-4:ZooKeeperServer@1123] - Authentication failed
for scheme: sasl*

Logs on client side:




*2020-01-14 15:05:27.183+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: ]
[S: ] [P: platform1] [T: main-EventThread] Authentication failed2020-01-14
15:05:27.184+0000 [L: ERROR] [O: o.a.c.ConnectionState] [I: ] [U: ] [S: ]
[P: platform1] [T: main-EventThread] Authentication failed2020-01-14
15:05:27.298+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S:
] [P: platform1] [T: main] Failed starting CuratorFramework client:
KeeperErrorCode = AuthFailed for /MyNode2020-01-14 15:05:27.303+0000 [L:
ERROR] [O: c.t.s.c.ZookeeperHelper] [I: ] [U: SuperUser] [S: ] [P:
platform1] [T: main] Failed starting CuratorFramework client:
KeeperErrorCode = AuthFailed for
/MyNodeorg.apache.zookeeper.KeeperException$AuthFailedException:
KeeperErrorCode = AuthFailed for /MyNode*

This is how I am creating client:

       CuratorFrameworkFactory.Builder builder =

            CuratorFrameworkFactory.builder().connectString(coordinatorHosts
).retryPolicy(retryPolicy)

            .connectionTimeoutMs(coordinatorConnectionTimeout
).sessionTimeoutMs(coordinatorSessionTimeout);


        final CuratorFramework curatorFramework =

            builder.authorization("sasl", "zkclient@EXAMPLE.COM"
.getBytes()).aclProvider(new ACLProvider() {

            @Override

            public List<ACL> getDefaultAcl() {

                return ZooDefs.Ids.CREATOR_ALL_ACL;

            }


            @Override

            public List<ACL> getAclForPath(String path) {

                return ZooDefs.Ids.CREATOR_ALL_ACL;

            }

        }).build();

        curatorFramework.start();

        curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
"/MyNode");


I believe I am successfully authenticated but something is wrong with
creating ACL.


Thanks