zookeeper.allowSaslFailedClients property

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

zookeeper.allowSaslFailedClients property

Dominique Gagnon
Hi,

I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup arguments of my three zookeepers servers (version 3.4.10 from Confluent 4.0 bundle) as I want them to drop connections if Kerberos authentication fails. Yet, it seems that it just doesn't work. If I just don't put any "Client" section in our Kafka brokers JAAS file, The brokers logs show that the authentication fails but the connection to zookeepers doesn't end.

Also, if I try the kafka-acls command without a JAAS file, it also work even if it shouldn't:

[root@server ~]# kafka-acls --authorizer-properties zookeeper.connect=zookeeper-server:2181 --add --allow-principal User:CLIENT --consumer --topic test1 --group test
[2018-02-01 10:25:41,730] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/root/jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
Adding ACLs for resource `Topic:test1`:
        User:CLIENT has Allow permission for operations: Read from hosts: *
        User:CLIENT has Allow permission for operations: Describe from hosts: *

Adding ACLs for resource `Group:test`:
        User:CLIENT has Allow permission for operations: Read from hosts: *
...

I've read that this property only applies to Java clients but Kafka brokers and kafka-acls command are Java clients..!

Thanks,

Dominique Gagnon
Reply | Threaded
Open this post in threaded view
|

Re: zookeeper.allowSaslFailedClients property

Andor Molnar
Hi Dominique,

Would you please check your ZooKeeper logs, because whenever Zk closes a
client connection due to SASL authentication failure, it adds the following
message to the logs:

LOG.warn("Closing client connection due to SASL authentication failure.");

On the other hand, if the connection is accepted even if SASL auth failed,
you should see the following message:

LOG.warn("Maintaining client connection despite SASL authentication
failure.");

If neither of these messages can be seen in ZK logs, that you're probably
facing to another problem.

Regards,
Andor



On Thu, Feb 1, 2018 at 8:08 PM, Dominique Gagnon <
[hidden email]> wrote:

> Hi,
>
> I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup
> arguments of my three zookeepers servers (version 3.4.10 from Confluent 4.0
> bundle) as I want them to drop connections if Kerberos authentication
> fails. Yet, it seems that it just doesn't work. If I just don't put any
> "Client" section in our Kafka brokers JAAS file, The brokers logs show that
> the authentication fails but the connection to zookeepers doesn't end.
>
> Also, if I try the kafka-acls command without a JAAS file, it also work
> even if it shouldn't:
>
> [root@server ~]# kafka-acls --authorizer-properties
> zookeeper.connect=zookeeper-server:2181 --add --allow-principal
> User:CLIENT --consumer --topic test1 --group test
> [2018-02-01 10:25:41,730] WARN SASL configuration failed:
> javax.security.auth.login.LoginException: No JAAS configuration section
> named 'Client' was found in specified JAAS configuration file:
> '/root/jaas.conf'. Will continue connection to Zookeeper server without
> SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.
> ClientCnxn)
> Adding ACLs for resource `Topic:test1`:
>         User:CLIENT has Allow permission for operations: Read from hosts: *
>         User:CLIENT has Allow permission for operations: Describe from
> hosts: *
>
> Adding ACLs for resource `Group:test`:
>         User:CLIENT has Allow permission for operations: Read from hosts: *
> ...
>
> I've read that this property only applies to Java clients but Kafka
> brokers and kafka-acls command are Java clients..!
>
> Thanks,
>
> Dominique Gagnon
>