SASL for Client connections

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL for Client connections

Harish kumar
Hi,

I have enabled SASL on my Zookeeper, with below configuration.

*requireClientAuthScheme=sasl*
*authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider*

But still I see that, I am able to connect to zookeeper even without a
valid kerberos ticket.
Is there a way to restrict all client connections only with valid kerberos
ticket.

Zookeeper Version - 3.4.8


Thanks,
Harish
Reply | Threaded
Open this post in threaded view
|

Re: SASL for Client connections

Abraham Fine
Hi Harish-

Currently there is no way to restrict ALL incoming client connections when using SASL.

In ZooKeeper, SASL works on a node by node basis.

Thanks,
Abe

On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:

> Hi,
>
> I have enabled SASL on my Zookeeper, with below configuration.
>
> *requireClientAuthScheme=sasl*
> *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider*
>
> But still I see that, I am able to connect to zookeeper even without a
> valid kerberos ticket.
> Is there a way to restrict all client connections only with valid kerberos
> ticket.
>
> Zookeeper Version - 3.4.8
>
>
> Thanks,
> Harish
Reply | Threaded
Open this post in threaded view
|

RE: SASL for Client connections

Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore)
Hi Abe,

We are trying to understand the difference between setting
requireClientAuthScheme=sasl
and
requireClientAuthScheme=all
When a client does not have a valid Kerberos ticket, the behaviour is the same for either of the above settings. Whereas we'd've expected the client to not be able to connect when requireClientAuthScheme=sasl.
To restrict such connections, should we also set zookeeper.allowSaslFailedClients=false?

Regards
Shirsha

-----Original Message-----
From: Abraham Fine [mailto:[hidden email]]
Sent: Friday, March 9, 2018 12:31 AM
To: [hidden email]
Subject: Re: SASL for Client connections

Hi Harish-

Currently there is no way to restrict ALL incoming client connections when using SASL.

In ZooKeeper, SASL works on a node by node basis.

Thanks,
Abe

On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:

> Hi,
>
> I have enabled SASL on my Zookeeper, with below configuration.
>
> *requireClientAuthScheme=sasl*
> *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> vider*
>
> But still I see that, I am able to connect to zookeeper even without a
> valid kerberos ticket.
> Is there a way to restrict all client connections only with valid
> kerberos ticket.
>
> Zookeeper Version - 3.4.8
>
>
> Thanks,
> Harish
Reply | Threaded
Open this post in threaded view
|

Re: SASL for Client connections

Abraham Fine
This is related to a long standing bug in our documentation (see: ZOOKEEPER-2668). requireClientAuthScheme does not actually do anything. It is never read by the code.


On Thu, Mar 8, 2018, at 21:40, Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore) wrote:

> Hi Abe,
>
> We are trying to understand the difference between setting
> requireClientAuthScheme=sasl
> and
> requireClientAuthScheme=all
> When a client does not have a valid Kerberos ticket, the behaviour is
> the same for either of the above settings. Whereas we'd've expected the
> client to not be able to connect when requireClientAuthScheme=sasl.
> To restrict such connections, should we also set
> zookeeper.allowSaslFailedClients=false?
>
> Regards
> Shirsha
>
> -----Original Message-----
> From: Abraham Fine [mailto:[hidden email]]
> Sent: Friday, March 9, 2018 12:31 AM
> To: [hidden email]
> Subject: Re: SASL for Client connections
>
> Hi Harish-
>
> Currently there is no way to restrict ALL incoming client connections
> when using SASL.
>
> In ZooKeeper, SASL works on a node by node basis.
>
> Thanks,
> Abe
>
> On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote:
> > Hi,
> >
> > I have enabled SASL on my Zookeeper, with below configuration.
> >
> > *requireClientAuthScheme=sasl*
> > *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro
> > vider*
> >
> > But still I see that, I am able to connect to zookeeper even without a
> > valid kerberos ticket.
> > Is there a way to restrict all client connections only with valid
> > kerberos ticket.
> >
> > Zookeeper Version - 3.4.8
> >
> >
> > Thanks,
> > Harish