Cloudera Community
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
kylinearth
user rank
New Contributor

Re: Zookeeper client authentication issuse

by New Contributor in Support Questions
‎09-03-2018 01:50 AM
‎09-03-2018 01:50 AM
Thank you for your reply! I followed CDH post, then test two scenes: 1. Authentication success 2018-09-03 16:41:13,168 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3 Welcome to ZooKeeper! JLine support is enabled [zk: xxxxx(CONNECTING) 0] 2018-09-03 16:41:13,440 [myid:] - INFO [main-SendThread(xxxxx:2181):Login@294] - Client successfully logged in. 2018-09-03 16:41:13,441 [myid:] - INFO [Thread-1:Login$1@128] - TGT refresh thread started. 2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login@302] - TGT valid starting at: Mon Sep 03 16:40:47 CST 2018 2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login@303] - TGT expires: Tue Sep 04 02:40:47 CST 2018 2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login$1@182] - TGT refresh sleeping until: Tue Sep 04 01:10:18 CST 2018 2018-09-03 16:41:13,445 [myid:] - INFO [main-SendThread(xxxxx:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism. 2018-09-03 16:41:13,452 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxxxx:2181. Will attempt to SASL-authenticate using Login Context section 'Client' 2018-09-03 16:41:13,456 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxxxx:33160, server: xxxxx/xxxxx:2181 2018-09-03 16:41:13,462 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxxx:2181, sessionid = 0x2659d1248f90274, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null WATCHER:: WatchedEvent state:SaslAuthenticated type:None path:null [zk: xxxxx(CONNECTED) 0] getAcl /znode1 'sasl,'zkcli@xxx : cdrwa 2. Authentication failed 2018-09-03 16:38:48,415 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3 Welcome to ZooKeeper! 2018-09-03 16:38:48,436 [myid:] - WARN [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@957] - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/zookeeper/conf/jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: /etc/zookeeper/conf/jaas.conf (No such file or directory) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. 2018-09-03 16:38:48,438 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxx:2181 WATCHER:: WatchedEvent state:AuthFailed type:None path:null JLine support is enabled 2018-09-03 16:38:48,500 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxx:33021, server: xxxxx/xxx:2181 2018-09-03 16:38:48,506 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxx:2181, sessionid = 0x2659d1248f90271, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null [zk: xxx(CONNECTED) 0] getAcl /znode1 'sasl,'zkcli@xxx : cdrwa zookeeper client can still get the znode data if the authentication is failed. Is there any way to check the authentication of session, not the inside znode? ... View more

Zookeeper client authentication issuse

by New Contributor in Support Questions
‎09-02-2018 07:12 PM
‎09-02-2018 07:12 PM
1. CDH version: 5.13.0 2. kerberos: enable 3. with the following configurations enable: Enable Kerberos Authentication enableSecurity Enable Server to Server SASL Authentication quorum.auth.enableSasl 4. zookeeper server zoo.cfg   tickTime=2000 initLimit=10 syncLimit=5 dataDir=/var/lib/zookeeper/data dataLogDir=/var/lib/zookeeper/dataLog clientPort=2181 maxClientCnxns=60 minSessionTimeout=4000 maxSessionTimeout=60000 autopurge.purgeInterval=24 autopurge.snapRetainCount=5 quorum.auth.enableSasl=true quorum.cnxn.threads.size=20 server.1=xxxxxx server.2=xxxxxx server.3=xxxxxx leaderServes=yes authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST quorum.auth.learnerRequireSasl=true quorum.auth.serverRequireSasl=true skipACL=yes     A remote zookeeper client connects zookeeper server: zookeeper-client -server xxxxxx or ./zkCli.sh -server xxxxxx Connecting to xxxxxx 2018-09-03 09:55:38,662 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.5-cdh5.13.0--1, built on 10/04/2017 18:05 GMT 2018-09-03 09:55:38,666 [myid:] - INFO [main:Environment@100] - Client environment:host.name=xxxxxx 2018-09-03 09:55:38,667 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_161 2018-09-03 09:55:38,671 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation 2018-09-03 09:55:38,671 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/usr/share/java/jdk1.8.0_161/jre 2018-09-03 09:55:38,671 [myid:] - INFO [main:Environment@100] - Client environment:java.class.path=/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/classes:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../build/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/slf4j-api-1.7.5.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/netty-3.10.5.Final.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/log4j-1.2.16.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../lib/jline-2.11.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../zookeeper-3.4.5-cdh5.13.0.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../src/java/lib/*.jar:/opt/cloudera/parcels/CDH/lib/zookeeper/bin/../conf: 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:java.io.tmpdir=/tmp 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:java.compiler=<NA> 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd64 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-327.el7.x86_64 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root 2018-09-03 09:55:38,672 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root 2018-09-03 09:55:38,673 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper/bin 2018-09-03 09:55:38,674 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3 Welcome to ZooKeeper! 2018-09-03 09:55:38,706 [myid:] - INFO [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxxx:2181. Will not attempt to authenticate using SASL (unknown error) JLine support is enabled 2018-09-03 09:55:38,797 [myid:] - INFO [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: xxxxxx:39556, server: xxxxxx:2181 2018-09-03 09:55:38,806 [myid:] - INFO [main-SendThread(xxxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxxx:2181, sessionid = 0x1659d1248fe0020, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null [zk: xxxxxx(CONNECTED) 0] ls / [ztest, hiveserver2, zookeeper, znode1, yarn-leader-election, hadoop-ha, rmstore, hive_zookeeper_namespace_hive, hbase, zk_test] The problem is any remote zookeeper client can connect zookeeper server to read znode without authentication. Is there any way to force zookeeper client authentication?   I will be grateful for any suggestions.   ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎11-12-2018 12:15 AM
Community Statistics
Member Since ‎09-02-2018 06:21 PM
Last Visited ‎11-12-2018 12:15 AM
Posts 2