How to force SASL on all Zookeeper connections

Asked 10/7, 2012 at 17:27 Answered 21/1, 2022 at 3:52

I have a recent zookeeper build (version=3.4.3-1240972, built on 02/06/2012 10:48 GMT), and am having trouble forcing SASL to be used on all client connections.

Using the local conf/ directory of the release, I have the following configuration (running on Ubuntu 12.04):

conf/zoo.cfg

tickTime=2001
initLimit=10
syncLimit=5
dataDir=/tmp/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

conf/jaas.conf

Server {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    user_super="1adminsecret";
};
Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="super"
    password="1adminsecret";
};

conf/java.env

export JVMFLAGS="-Djava.security.auth.login.config=`pwd`/conf/jaas.conf"

When I connect from the zkCli.sh script, it will auth properly, and changing the jaas.conf file will cause it to not be able to query. This is expected behavior.

However, when I use the ruby "zookeeper" gem, and run (with irb):

require 'zookeeper'
z = Zookeeper.new("localhost:2181")
z.get_children(:path => "/")
z.create(path:'/asdf', data:'test')

it returns results properly. If I'm requiring SASL for login, how come the ruby client is bypassing security. I know it isn't just a read vs. write issue, as I can also create keys as well.

Makeup answered 10/7, 2012 at 17:27 Comment(2)

For reference, I used the following sources for configuring SASL: github.com/ekoontz/zookeeper/wiki and cwiki.apache.org/ZOOKEEPER/zookeeper-and-sasl.html – Makeup 10/7, 2012 at 17:33

you have created a java.env file, how do you read that file from zkCli.sh? – Campo 7/4, 2016 at 16:59

In conf/zoo.cfg, add the line,

requireClientAuthScheme=sasl

From the Server Configuration section here,

requireClientAuthScheme=sasl is optional: if it is set to any value, it will only allow non-authenticated clients to ping, create session, close session, or sasl-authenticate.

Pennebaker answered 11/7, 2012 at 5:3 Comment(7)

I added that line, and it's still allowing everything thru. And I did shutdown the zkServer before changing the config. – Makeup 11/7, 2012 at 22:5

what happens if you add this to your zoo.cfg maintain_connection_despite_sasl_failure=false – Pennebaker 12/7, 2012 at 4:33

I've added it there, as well as to the command line (-Dzookeeper. ....), and no luck. Grepping the source code for "maintain_connection", and "requireClientAuthScheme" returns nothing, so where are these params even defined? I've tried both 3.4.3, and 3.3.5, with no luck! – Makeup 12/7, 2012 at 16:51

try setting the system property zookeeper.allowSaslFailedClients=false on the server. This is the patch that was committed to add sasl issues.apache.org/jira/secure/attachment/12490160/… – Pennebaker 13/7, 2012 at 4:51

@Pennebaker Broken link. – Splasher 16/1, 2015 at 14:35

@Pennebaker this is actually not truth. Reading through code you can see that requireClientAuthScheme=sasl is not even read if you put it in configuration. There is even jira ticket for this: issues.apache.org/jira/browse/ZOOKEEPER-2668. FYI I'm as well trying to find a way how to forbid ticketless (kerberos) connections so any advice would help – Pneuma 29/6, 2019 at 20:43

It seems the situation has changed. FYI issues.apache.org/jira/browse/ZOOKEEPER-1634 - added in 3.6.0, July 24th, 2019. Commit github.com/apache/zookeeper/pull/118/… – Entomo 17/9, 2019 at 15:30

I had similar problem and solved it by adding JVM arguments to the env file. (ZooKeeper 3.6.3)

export JVMFLAGS="-Djava.security.auth.login.config=`pwd`/conf/jaas.conf \
-Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider \
-Dzookeeper.allowSaslFailedClients=false \
-Dzookeeper.sessionRequireClientSASLAuth=true \
"

Salo answered 21/1, 2022 at 3:52 Comment(2)

See "Explaining entirely code-based answers". While this might be technically correct it doesn't explain why it solves the problem or should be the selected answer. We should educate in addition to help solve the problem. – Princess 25/1, 2022 at 22:27

Thank you, @user2888962, it helped to me with version 3.8.2 – Winniewinnifred 29/9, 2023 at 13:10

I had a similar problem years later haha. I hope Zookeeper 3.5 adds a separate and less tricky way to secure a Zookeeper server. Check out my question: Securing Zookeeper

Dunderhead answered 28/8, 2015 at 14:26 Comment(0)

Recommended topics

Hot tags