Member since
09-02-2018
2
Posts
0
Kudos Received
0
Solutions
09-03-2018
01:50 AM
Thank you for your reply! I followed CDH post, then test two scenes: 1. Authentication success 2018-09-03 16:41:13,168 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
JLine support is enabled
[zk: xxxxx(CONNECTING) 0] 2018-09-03 16:41:13,440 [myid:] - INFO [main-SendThread(xxxxx:2181):Login@294] - Client successfully logged in.
2018-09-03 16:41:13,441 [myid:] - INFO [Thread-1:Login$1@128] - TGT refresh thread started.
2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login@302] - TGT valid starting at: Mon Sep 03 16:40:47 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login@303] - TGT expires: Tue Sep 04 02:40:47 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login$1@182] - TGT refresh sleeping until: Tue Sep 04 01:10:18 CST 2018
2018-09-03 16:41:13,445 [myid:] - INFO [main-SendThread(xxxxx:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2018-09-03 16:41:13,452 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxxxx:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2018-09-03 16:41:13,456 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxxxx:33160, server: xxxxx/xxxxx:2181
2018-09-03 16:41:13,462 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxxx:2181, sessionid = 0x2659d1248f90274, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
WATCHER::
WatchedEvent state:SaslAuthenticated type:None path:null
[zk: xxxxx(CONNECTED) 0] getAcl /znode1
'sasl,'zkcli@xxx
: cdrwa 2. Authentication failed 2018-09-03 16:38:48,415 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 16:38:48,436 [myid:] - WARN [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@957] - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/zookeeper/conf/jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: /etc/zookeeper/conf/jaas.conf (No such file or directory) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
2018-09-03 16:38:48,438 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxx:2181
WATCHER::
WatchedEvent state:AuthFailed type:None path:null
JLine support is enabled
2018-09-03 16:38:48,500 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxx:33021, server: xxxxx/xxx:2181
2018-09-03 16:38:48,506 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxx:2181, sessionid = 0x2659d1248f90271, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: xxx(CONNECTED) 0] getAcl /znode1
'sasl,'zkcli@xxx
: cdrwa zookeeper client can still get the znode data if the authentication is failed. Is there any way to check the authentication of session, not the inside znode?
... View more
09-02-2018
07:12 PM
1. CDH version: 5.13.0
2. kerberos: enable
3. with the following configurations enable:
Enable Kerberos Authentication
enableSecurity
Enable Server to Server SASL Authentication
quorum.auth.enableSasl
4. zookeeper server zoo.cfg
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper/data
dataLogDir=/var/lib/zookeeper/dataLog
clientPort=2181
maxClientCnxns=60
minSessionTimeout=4000
maxSessionTimeout=60000
autopurge.purgeInterval=24
autopurge.snapRetainCount=5
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
server.1=xxxxxx
server.2=xxxxxx
server.3=xxxxxx
leaderServes=yes
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
skipACL=yes
A remote zookeeper client connects zookeeper server:
zookeeper-client -server xxxxxx
or
./zkCli.sh -server xxxxxx
Connecting to xxxxxx
2018-09-03 09:55:38,662 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.5-cdh5.13.0--1, built on 10/04/2017 18:05 GMT
2018-09-03 09:55:38,666 [myid:] - INFO [main:Environment@100] - Client environment:host.name=xxxxxx
2018-09-03 09:55:38,667 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_161
2018-09-03 09:55:38,671 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2018-09-03 09:55:38,671 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/usr/share/java/jdk1.8.0_161/jre
2018-09-03 09:55:38,671 [myid:] - INFO [main:Environment@100] - Client environment:java.class.path=/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/classes:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-api-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/netty-3.10.5.Final.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/log4j-1.2.16.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/jline-2.11.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../zookeeper-3.4.5-cdh5.13.0.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../src/java/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../conf:
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:java.compiler=<NA>
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd64
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-327.el7.x86_64
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root
2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root
2018-09-03 09:55:38,673 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper/bin
2018-09-03 09:55:38,674 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3
Welcome to ZooKeeper!
2018-09-03 09:55:38,706 [myid:] - INFO [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxxx:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2018-09-03 09:55:38,797 [myid:] - INFO [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: xxxxxx:39556, server: xxxxxx:2181
2018-09-03 09:55:38,806 [myid:] - INFO [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxxx:2181, sessionid = 0x1659d1248fe0020, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: xxxxxx(CONNECTED) 0] ls /
[ztest, hiveserver2, zookeeper, znode1, yarn-leader-election, hadoop-ha, rmstore, hive_zookeeper_namespace_hive, hbase, zk_test]
The problem is any remote zookeeper client can connect zookeeper server to read znode without authentication.
Is there any way to force zookeeper client authentication?
I will be grateful for any suggestions.
... View more
Labels:
- Labels:
-
Apache Zookeeper
-
Kerberos