Thank you for your reply! I followed CDH post, then test two scenes: 1. Authentication success 2018-09-03 16:41:13,168 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxxxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3 Welcome to ZooKeeper! JLine support is enabled [zk: xxxxx(CONNECTING) 0] 2018-09-03 16:41:13,440 [myid:] - INFO [main-SendThread(xxxxx:2181):Login@294] - Client successfully logged in. 2018-09-03 16:41:13,441 [myid:] - INFO [Thread-1:Login$1@128] - TGT refresh thread started. 2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login@302] - TGT valid starting at: Mon Sep 03 16:40:47 CST 2018 2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login@303] - TGT expires: Tue Sep 04 02:40:47 CST 2018 2018-09-03 16:41:13,445 [myid:] - INFO [Thread-1:Login$1@182] - TGT refresh sleeping until: Tue Sep 04 01:10:18 CST 2018 2018-09-03 16:41:13,445 [myid:] - INFO [main-SendThread(xxxxx:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism. 2018-09-03 16:41:13,452 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxxxx:2181. Will attempt to SASL-authenticate using Login Context section 'Client' 2018-09-03 16:41:13,456 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxxxx:33160, server: xxxxx/xxxxx:2181 2018-09-03 16:41:13,462 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxxx:2181, sessionid = 0x2659d1248f90274, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null WATCHER:: WatchedEvent state:SaslAuthenticated type:None path:null [zk: xxxxx(CONNECTED) 0] getAcl /znode1 'sasl,'zkcli@xxx : cdrwa 2. Authentication failed 2018-09-03 16:38:48,415 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=xxx sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3eb07fd3 Welcome to ZooKeeper! 2018-09-03 16:38:48,436 [myid:] - WARN [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@957] - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/zookeeper/conf/jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: /etc/zookeeper/conf/jaas.conf (No such file or directory) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. 2018-09-03 16:38:48,438 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@975] - Opening socket connection to server xxxxx/xxx:2181 WATCHER:: WatchedEvent state:AuthFailed type:None path:null JLine support is enabled 2018-09-03 16:38:48,500 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@852] - Socket connection established, initiating session, client: /xxx:33021, server: xxxxx/xxx:2181 2018-09-03 16:38:48,506 [myid:] - INFO [main-SendThread(xxxxx:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server xxxxx/xxxx:2181, sessionid = 0x2659d1248f90271, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null [zk: xxx(CONNECTED) 0] getAcl /znode1 'sasl,'zkcli@xxx : cdrwa zookeeper client can still get the znode data if the authentication is failed. Is there any way to check the authentication of session, not the inside znode? ... View more