Ella Kurginyan created ZOOKEEPER-3914:
-----------------------------------------
Summary: Kerberized Zookeeper doesn't drop connection for
unauthenticated clients
Key: ZOOKEEPER-3914
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3914
Project: ZooKeeper
Issue Type: Bug
Affects Versions: 3.5.6
Reporter: Ella Kurginyan
my zoo.cfg:
{code:java}
tickTime=2000
initLimit=5
syncLimit=2
dataDir=/var/lib/zookeeper
clientPort=2181
maxClientCnxns=0
autopurge.snapRetainCount=3
autopurge.purgeInterval=24
standaloneEnabled=false
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
zookeeper.allowSaslFailedClients=false
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
server.1=myhost.internal:2888:3888
{code}
zookeeper-env.sh
{code:java}
export JAVA="$JAVA_HOME/bin/java"
export ZOO_LOG4J_PROP="DEBUG, CONSOLE, ROLLINGFILE"
export ZOO_LOG_DIR="/var/log/zookeeper"
export ZOOPIDFILE="/var/run/zookeeper/zookeeper_server.pid"
export
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_server_jaas.conf"
export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS
-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
{code}
zookeeper_server_jaas.conf
{code:java}
Server {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/tmp/keytabs/zookeeper.keytab"
principal="zookeeper/myhost.inter...@mydomain.com";
};{code}
zookeeper_client_jaas.conf
{code:java}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true;
};{code}
For anonymous user its allowed to connect:
{code:java}
2020-08-17 13:58:18,603 - WARN
[main-SendThread(localhost:2181):SaslClientCallbackHandler@60] - Could not
login: the Client is being asked for a password, but the ZooKeeper Client code
does not currently support obtaining a password from the user. Make sure that
the Client is configured to use a ticket cache (using the JAAS configuration
setting 'useTicketCache=true)' and restart the Client. If you still get this
message after that, the TGT in the ticket cache has expired and must be
manually refreshed. To do so, first determine if you are using a password or a
keytab. If the former, run kinit in a Unix shell in the environment of the user
who is running this Zookeeper Client using the command 'kinit <princ>' (where
<princ> is the name of the Client's Kerberos principal). If the latter, do
'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos
principal, and <keytab> is the location of the keytab file). After manually
refreshing your cache, restart this Client. If you continue to see this message
after manually refreshing your cache, ensure that your KDC host's clock is in
sync with this host's clock. 2020-08-17 13:58:18,604 - WARN
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1010] - SASL
configuration failed: javax.security.auth.login.LoginException: No password
provided Will continue connection to Zookeeper server without SASL
authentication,if Zookeeper server allows it. 2020-08-17 13:58:18,606 - INFO
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1028] - Opening socket
connection to server localhost/0:0:0:0:0:0:0:1:2181 WATCHER:: WatchedEvent
state:AuthFailed type:None path:null 2020-08-17 13:58:18,653 - INFO
[main-SendThread(localhost:2181):ClientCnxn$SendThread@878] - Socket connection
established to localhost/0:0:0:0:0:0:0:1:2181, initiating session 2020-08-17
13:58:18,662 - INFO
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1302] - Session
establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid =
0x1001d710bf9003e, negotiated timeout = 30000 WATCHER:: WatchedEvent
state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] ls /
{code}
For wrong user connection is dropped:{{}}{{}}
{code:java}
2020-08-18 16:09:41,628 [myid:localhost:2181] - ERROR
[main-SendThread(localhost:2181):ZooKeeperSaslClient@341] - An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7))]) occurred when
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will
go to AUTH_FAILED state. 2020-08-18 16:09:41,629 [myid:localhost:2181] - ERROR
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1151] - SASL
authentication with Zookeeper Quorum member failed:
javax.security.sasl.SaslException: An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7))]) occurred when
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will
go to AUTH_FAILED state. WATCHER:: WatchedEvent state:AuthFailed type:None
path:null 2020-08-18 16:09:41,629 [myid:] - INFO
[main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for
session: 0x1008b3112ae0004 [zk: localhost:2181(AUTH_FAILED) 0] [zk:
localhost:2181(AUTH_FAILED) 0] {code}
{{}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
