Reply
New Contributor
Posts: 2
Registered: ‎09-02-2018

Zookeeper client authentication issuse

[ Edited ]

1. CDH version: 5.13.0

2. kerberos: enable

3. with the following configurations enable:

Enable Kerberos Authentication
enableSecurity

Enable Server to Server SASL Authentication
quorum.auth.enableSasl

4. zookeeper server zoo.cfg

 

tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper/data
dataLogDir=/var/lib/zookeeper/dataLog
clientPort=2181
maxClientCnxns=60
minSessionTimeout=4000
maxSessionTimeout=60000
autopurge.purgeInterval=24
autopurge.snapRetainCount=5
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
server.1=xxxxxx
server.2=xxxxxx
server.3=xxxxxx
leaderServes=yes
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
skipACL=yes

 

 

A remote zookeeper client connects zookeeper server:

zookeeper-client -server xxxxxx
or
./zkCli.sh -server xxxxxx

Connecting to xxxxxx
2018-09-03 09:55:38,662 [myid:] - INFO  [main:Environment@100] - Client environment:zookeeper.version=3.4.5-cdh5.13.0--1, built on 10/04/2017 18:05 GMT
2018-09-03 09:55:38,666 [myid:] - INFO  [main:Environment@100] - Client environment:host.name=xxxxxx
2018-09-03 09:55:38,667 [myid:] - INFO  [main:Environment@100] - Client environment:java.version=1.8.0_161
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.home=/usr/share/java/jdk1.8.0_161/jre
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.class.path=/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/classes:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-api-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/netty-3.10.5.Final.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/log4j-1.2.16.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/jline-2.11.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../zookeeper-3.4.5-cdh5.13.0.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../src/java/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../conf:
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.compiler=<NA>
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.name=Linux
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.arch=amd64
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.version=3.10.0-327.el7.x86_64
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:user.name=root
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:user.home=/root
2018-09-03 09:55:38,673 [myid:] - INFO  [main:Environment@100] - Client environment:user.dir=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper/bin
2018-09-03 09:55:38,674 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 09:55:38,706 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxxx:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2018-09-03 09:55:38,797 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: xxxxxx:39556, server: xxxxxx:2181
2018-09-03 09:55:38,806 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxxx:2181, sessionid = 0x1659d1248fe0020, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: xxxxxx(CONNECTED) 0] ls /
[ztest, hiveserver2, zookeeper, znode1, yarn-leader-election, hadoop-ha, rmstore, hive_zookeeper_namespace_hive, hbase, zk_test]

The problem is any remote zookeeper client can connect zookeeper server to read znode without authentication.

Is there any way to force zookeeper client authentication?

 

I will be grateful for any suggestions.

 

Master
Posts: 402
Registered: ‎07-01-2015

Re: Zookeeper client authentication issuse

As far as I understand the docs the zookeeper is "open" and if you want to create something "protected" you have to do it explicitly.

Create a protected znode from within the ZooKeeper CLI. Make sure that you substitute YOUR-REALM as appropriate.

create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra

 

 

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_zookeeper_security.html

Highlighted
New Contributor
Posts: 2
Registered: ‎09-02-2018

Re: Zookeeper client authentication issuse

[ Edited ]

Thank you for your reply!

I followed CDH post, then test two scenes:

1. Authentication success

2018-09-03 16:41:13,168 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
JLine support is enabled
[zk: xxxxx(CONNECTING) 0] 2018-09-03 16:41:13,440 [myid:] - INFO  [main-SendThread(xxxxx:2181):Login@294] - Client successfully logged in.
2018-09-03 16:41:13,441 [myid:] - INFO  [Thread-1:Login$1@128] - TGT refresh thread started.
2018-09-03 16:41:13,445 [myid:] - INFO  [Thread-1:Login@302] - TGT valid starting at:        Mon Sep 03 16:40:47 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO  [Thread-1:Login@303] - TGT expires:                  Tue Sep 04 02:40:47 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO  [Thread-1:Login$1@182] - TGT refresh sleeping until: Tue Sep 04 01:10:18 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO  [main-SendThread(xxxxx:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2018-09-03 16:41:13,452 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxxxx:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2018-09-03 16:41:13,456 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxxxx:33160, server: xxxxx/xxxxx:2181
2018-09-03 16:41:13,462 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxxx:2181, sessionid = 0x2659d1248f90274, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null

WATCHER::

WatchedEvent state:SaslAuthenticated type:None path:null

[zk: xxxxx(CONNECTED) 0] getAcl /znode1
'sasl,'zkcli@xxx
: cdrwa

2. Authentication failed

2018-09-03 16:38:48,415 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 16:38:48,436 [myid:] - WARN  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@957] - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/zookeeper/conf/jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: /etc/zookeeper/conf/jaas.conf (No such file or directory) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
2018-09-03 16:38:48,438 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxx:2181

WATCHER::

WatchedEvent state:AuthFailed type:None path:null
JLine support is enabled
2018-09-03 16:38:48,500 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxx:33021, server: xxxxx/xxx:2181
2018-09-03 16:38:48,506 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxx:2181, sessionid = 0x2659d1248f90271, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: xxx(CONNECTED) 0] getAcl /znode1
'sasl,'zkcli@xxx
: cdrwa

zookeeper client can still get the znode data if the authentication is failed.

Is there any way to check the authentication of session, not the inside znode?

Announcements