How to force SASL on all Zookeeper connections

Question

I have a recent zookeeper build (version=3.4.3-1240972, built on 02/06/2012 10:48 GMT), and am having trouble forcing SASL to be used on all client connections.

Using the local conf/ directory of the release, I have the following configuration (running on Ubuntu 12.04):

conf/zoo.cfg

tickTime=2001
initLimit=10
syncLimit=5
dataDir=/tmp/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

conf/jaas.conf

Server {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    user_super="1adminsecret";
};
Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="super"
    password="1adminsecret";
};

conf/java.env

export JVMFLAGS="-Djava.security.auth.login.config=`pwd`/conf/jaas.conf"

When I connect from the zkCli.sh script, it will auth properly, and changing the jaas.conf file will cause it to not be able to query. This is expected behavior.

However, when I use the ruby "zookeeper" gem, and run (with irb):

require 'zookeeper'
z = Zookeeper.new("localhost:2181")
z.get_children(:path => "/")
z.create(path:'/asdf', data:'test')

it returns results properly. If I'm requiring SASL for login, how come the ruby client is bypassing security. I know it isn't just a read vs. write issue, as I can also create keys as well.

For reference, I used the following sources for configuring SASL: https://github.com/ekoontz/zookeeper/wiki and https://cwiki.apache.org/ZOOKEEPER/zookeeper-and-sasl.html — Marshall Anschutz, Jul 10 '12 at 17:33
you have created a java.env file, how do you read that file from zkCli.sh? — TuGordoBello, Apr 07 '16 at 16:59

score 3 · Answer 1 · answered Jul 11 '12 at 05:03

3

In conf/zoo.cfg, add the line,

requireClientAuthScheme=sasl

From the Server Configuration section here,

requireClientAuthScheme=sasl is optional: if it is set to any value, it will only allow non-authenticated clients to ping, create session, close session, or sasl-authenticate.

answered Jul 11 '12 at 05:03

sbridges

24,960
4
64
71

I added that line, and it's still allowing everything thru. And I did shutdown the zkServer before changing the config. – Marshall Anschutz Jul 11 '12 at 22:05
what happens if you add this to your zoo.cfg maintain_connection_despite_sasl_failure=false – sbridges Jul 12 '12 at 04:33
I've added it there, as well as to the command line (-Dzookeeper. ....), and no luck. Grepping the source code for "maintain_connection", and "requireClientAuthScheme" returns nothing, so where are these params even defined? I've tried both 3.4.3, and 3.3.5, with no luck! – Marshall Anschutz Jul 12 '12 at 16:51
try setting the system property zookeeper.allowSaslFailedClients=false on the server. This is the patch that was committed to add sasl https://issues.apache.org/jira/secure/attachment/12490160/ZOOKEEPER-938.patch – sbridges Jul 13 '12 at 04:51
1

@sbridges Broken link. – Kasisnu Jan 16 '15 at 14:35
1

@sbridges this is actually not truth. Reading through code you can see that `requireClientAuthScheme=sasl` is not even read if you put it in configuration. There is even jira ticket for this: https://issues.apache.org/jira/browse/ZOOKEEPER-2668. FYI I'm as well trying to find a way how to forbid ticketless (kerberos) connections so any advice would help – iMajna Jun 29 '19 at 20:43
It seems the situation has changed. FYI https://issues.apache.org/jira/browse/ZOOKEEPER-1634 - added in 3.6.0, July 24th, 2019. Commit https://github.com/apache/zookeeper/pull/118/files#diff-81e40b9605f507a4c123d55005fc6dc6R1387 – Antony Stubbs Sep 17 '19 at 15:30

score 0 · Answer 2 · edited May 23 '17 at 10:30

0

I had a similar problem years later haha. I hope Zookeeper 3.5 adds a separate and less tricky way to secure a Zookeeper server. Check out my question: Securing Zookeeper

edited May 23 '17 at 10:30

Community

1
1

answered Aug 28 '15 at 14:26

smuggledPancakes

9,881
20
74
113

score 0 · Answer 3 · answered Jan 21 '22 at 03:52

0

I had similar problem and solved it by adding JVM arguments to the env file. (ZooKeeper 3.6.3)

export JVMFLAGS="-Djava.security.auth.login.config=`pwd`/conf/jaas.conf \
-Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider \
-Dzookeeper.allowSaslFailedClients=false \
-Dzookeeper.sessionRequireClientSASLAuth=true \
"

answered Jan 21 '22 at 03:52

user2888962

21
4

1

See "[Explaining entirely code-based answers](https://meta.stackoverflow.com/q/392712/128421)". While this might be technically correct it doesn't explain why it solves the problem or should be the selected answer. We should educate in addition to help solve the problem. – the Tin Man Jan 25 '22 at 22:27

How to force SASL on all Zookeeper connections

3 Answers3