Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zookeeper client authentication issuse

Zookeeper client authentication issuse

New Contributor

1. CDH version: 5.13.0

2. kerberos: enable

3. with the following configurations enable:

Enable Kerberos Authentication
enableSecurity

Enable Server to Server SASL Authentication
quorum.auth.enableSasl

4. zookeeper server zoo.cfg

 

tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper/data
dataLogDir=/var/lib/zookeeper/dataLog
clientPort=2181
maxClientCnxns=60
minSessionTimeout=4000
maxSessionTimeout=60000
autopurge.purgeInterval=24
autopurge.snapRetainCount=5
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
server.1=xxxxxx
server.2=xxxxxx
server.3=xxxxxx
leaderServes=yes
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
skipACL=yes

 

 

A remote zookeeper client connects zookeeper server:

zookeeper-client -server xxxxxx
or
./zkCli.sh -server xxxxxx

Connecting to xxxxxx
2018-09-03 09:55:38,662 [myid:] - INFO  [main:Environment@100] - Client environment:zookeeper.version=3.4.5-cdh5.13.0--1, built on 10/04/2017 18:05 GMT
2018-09-03 09:55:38,666 [myid:] - INFO  [main:Environment@100] - Client environment:host.name=xxxxxx
2018-09-03 09:55:38,667 [myid:] - INFO  [main:Environment@100] - Client environment:java.version=1.8.0_161
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.home=/usr/share/java/jdk1.8.0_161/jre
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.class.path=/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/classes:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-api-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/netty-3.10.5.Final.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/log4j-1.2.16.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/jline-2.11.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../zookeeper-3.4.5-cdh5.13.0.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../src/java/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../conf:
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.compiler=<NA>
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.name=Linux
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.arch=amd64
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.version=3.10.0-327.el7.x86_64
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:user.name=root
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:user.home=/root
2018-09-03 09:55:38,673 [myid:] - INFO  [main:Environment@100] - Client environment:user.dir=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper/bin
2018-09-03 09:55:38,674 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 09:55:38,706 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxxx:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2018-09-03 09:55:38,797 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: xxxxxx:39556, server: xxxxxx:2181
2018-09-03 09:55:38,806 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxxx:2181, sessionid = 0x1659d1248fe0020, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: xxxxxx(CONNECTED) 0] ls /
[ztest, hiveserver2, zookeeper, znode1, yarn-leader-election, hadoop-ha, rmstore, hive_zookeeper_namespace_hive, hbase, zk_test]

The problem is any remote zookeeper client can connect zookeeper server to read znode without authentication.

Is there any way to force zookeeper client authentication?

 

I will be grateful for any suggestions.

 

2 REPLIES 2

Re: Zookeeper client authentication issuse

Master Collaborator

As far as I understand the docs the zookeeper is "open" and if you want to create something "protected" you have to do it explicitly.

Create a protected znode from within the ZooKeeper CLI. Make sure that you substitute YOUR-REALM as appropriate.

create /znode1 znode1data sasl:zkcli@{{YOUR-REALM}}:cdwra

 

 

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_zookeeper_security.html

Re: Zookeeper client authentication issuse

New Contributor

Thank you for your reply!

I followed CDH post, then test two scenes:

1. Authentication success

2018-09-03 16:41:13,168 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
JLine support is enabled
[zk: xxxxx(CONNECTING) 0] 2018-09-03 16:41:13,440 [myid:] - INFO  [main-SendThread(xxxxx:2181):Login@294] - Client successfully logged in.
2018-09-03 16:41:13,441 [myid:] - INFO  [Thread-1:Login$1@128] - TGT refresh thread started.
2018-09-03 16:41:13,445 [myid:] - INFO  [Thread-1:Login@302] - TGT valid starting at:        Mon Sep 03 16:40:47 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO  [Thread-1:Login@303] - TGT expires:                  Tue Sep 04 02:40:47 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO  [Thread-1:Login$1@182] - TGT refresh sleeping until: Tue Sep 04 01:10:18 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO  [main-SendThread(xxxxx:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2018-09-03 16:41:13,452 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxxxx:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2018-09-03 16:41:13,456 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxxxx:33160, server: xxxxx/xxxxx:2181
2018-09-03 16:41:13,462 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxxx:2181, sessionid = 0x2659d1248f90274, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null

WATCHER::

WatchedEvent state:SaslAuthenticated type:None path:null

[zk: xxxxx(CONNECTED) 0] getAcl /znode1
'sasl,'zkcli@xxx
: cdrwa

2. Authentication failed

2018-09-03 16:38:48,415 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 16:38:48,436 [myid:] - WARN  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@957] - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/zookeeper/conf/jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: /etc/zookeeper/conf/jaas.conf (No such file or directory) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
2018-09-03 16:38:48,438 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxx:2181

WATCHER::

WatchedEvent state:AuthFailed type:None path:null
JLine support is enabled
2018-09-03 16:38:48,500 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxx:33021, server: xxxxx/xxx:2181
2018-09-03 16:38:48,506 [myid:] - INFO  [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxx:2181, sessionid = 0x2659d1248f90271, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: xxx(CONNECTED) 0] getAcl /znode1
'sasl,'zkcli@xxx
: cdrwa

zookeeper client can still get the znode data if the authentication is failed.

Is there any way to check the authentication of session, not the inside znode?