Support Questions

1. CDH version: 5.13.0

2. kerberos: enable

3. with the following configurations enable：

Enable Kerberos Authentication
enableSecurity

Enable Server to Server SASL Authentication
quorum.auth.enableSasl

4. zookeeper server zoo.cfg

tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper/data
dataLogDir=/var/lib/zookeeper/dataLog
clientPort=2181
maxClientCnxns=60
minSessionTimeout=4000
maxSessionTimeout=60000
autopurge.purgeInterval=24
autopurge.snapRetainCount=5
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
server.1=xxxxxx
server.2=xxxxxx
server.3=xxxxxx
leaderServes=yes
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
skipACL=yes

A remote zookeeper client connects zookeeper server:

zookeeper-client -server xxxxxx
or
./zkCli.sh -server xxxxxx

Connecting to xxxxxx
2018-09-03 09:55:38,662 [myid:] - INFO  [main:Environment@100] - Client environment:zookeeper.version=3.4.5-cdh5.13.0--1, built on 10/04/2017 18:05 GMT
2018-09-03 09:55:38,666 [myid:] - INFO  [main:Environment@100] - Client environment:host.name=xxxxxx
2018-09-03 09:55:38,667 [myid:] - INFO  [main:Environment@100] - Client environment:java.version=1.8.0_161
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.home=/usr/share/java/jdk1.8.0_161/jre
2018-09-03 09:55:38,671 [myid:] - INFO  [main:Environment@100] - Client environment:java.class.path=/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/classes:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-api-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/netty-3.10.5.Final.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/log4j-1.2.16.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/jline-2.11.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../zookeeper-3.4.5-cdh5.13.0.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../src/java/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../conf:
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:java.compiler=<NA>
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.name=Linux
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.arch=amd64
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:os.version=3.10.0-327.el7.x86_64
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:user.name=root
2018-09-03 09:55:38,672 [myid:] - INFO  [main:Environment@100] - Client environment:user.home=/root
2018-09-03 09:55:38,673 [myid:] - INFO  [main:Environment@100] - Client environment:user.dir=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper/bin
2018-09-03 09:55:38,674 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 09:55:38,706 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxxx:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2018-09-03 09:55:38,797 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: xxxxxx:39556, server: xxxxxx:2181
2018-09-03 09:55:38,806 [myid:] - INFO  [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxxx:2181, sessionid = 0x1659d1248fe0020, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: xxxxxx(CONNECTED) 0] ls /
[ztest, hiveserver2, zookeeper, znode1, yarn-leader-election, hadoop-ha, rmstore, hive_zookeeper_namespace_hive, hbase, zk_test]

The problem is any remote zookeeper client can connect zookeeper server to read znode without authentication.

Is there any way to force zookeeper client authentication?

I will be grateful for any suggestions.