Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3914

Kerberized Zookeeper doesn't drop connection for unauthenticated clients

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 3.5.6
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      my zoo.cfg: 

      tickTime=2000
      initLimit=5
      syncLimit=2
      dataDir=/var/lib/zookeeper
      clientPort=2181
      maxClientCnxns=0
      autopurge.snapRetainCount=3
      autopurge.purgeInterval=24
      standaloneEnabled=false
      authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
      zookeeper.allowSaslFailedClients=false
      jaasLoginRenew=3600000
      kerberos.removeHostFromPrincipal=true
      kerberos.removeRealmFromPrincipal=true
      server.1=myhost.internal:2888:3888
      

       

      zookeeper-env.sh 

      export JAVA="$JAVA_HOME/bin/java"
      export ZOO_LOG4J_PROP="DEBUG, CONSOLE, ROLLINGFILE"
      export ZOO_LOG_DIR="/var/log/zookeeper"
      export ZOOPIDFILE="/var/run/zookeeper/zookeeper_server.pid"
      export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_server_jaas.conf"
      
      export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
      

       

      zookeeper_server_jaas.conf:

      Server {
       com.sun.security.auth.module.Krb5LoginModule required
       doNotPrompt=true
       useKeyTab=true
       storeKey=true
       useTicketCache=false
       keyTab="/tmp/keytabs/zookeeper.keytab"
       principal="zookeeper/myhost.internal@MYDOMAIN.COM";
      };

      zookeeper_client_jaas.conf:

      Client {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=false
       useTicketCache=true;
      };

      For anonymous user its allowed to connect:

      2020-08-17 13:58:18,603 - WARN [main-SendThread(localhost:2181):SaslClientCallbackHandler@60] - Could not login: the Client is being asked for a password, but the ZooKeeper Client code does not currently support obtaining a password from the user. Make sure that the Client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the Client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this Zookeeper Client using the command 'kinit <princ>' (where <princ> is the name of the Client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and <keytab> is the location of the keytab file). After manually refreshing your cache, restart this Client. If you continue to see this message after manually refreshing your cache, ensure that your KDC host's clock is in sync with this host's clock. 2020-08-17 13:58:18,604 - WARN [main-SendThread(localhost:2181):ClientCnxn$SendThread@1010] - SASL configuration failed: javax.security.auth.login.LoginException: No password provided Will continue connection to Zookeeper server without SASL authentication,if Zookeeper server allows it. 2020-08-17 13:58:18,606 - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1028] - Opening socket connection to server localhost/0:0:0:0:0:0:0:1:2181 WATCHER:: WatchedEvent state:AuthFailed type:None path:null 2020-08-17 13:58:18,653 - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@878] - Socket connection established to localhost/0:0:0:0:0:0:0:1:2181, initiating session 2020-08-17 13:58:18,662 - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1302] - Session establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid = 0x1001d710bf9003e, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] ls / 

      For wrong user connection is dropped:

      2020-08-18 16:09:41,628 [myid:localhost:2181] - ERROR [main-SendThread(localhost:2181):ZooKeeperSaslClient@341] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. 2020-08-18 16:09:41,629 [myid:localhost:2181] - ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1151] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. WATCHER:: WatchedEvent state:AuthFailed type:None path:null 2020-08-18 16:09:41,629 [myid:] - INFO [main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for session: 0x1008b3112ae0004 [zk: localhost:2181(AUTH_FAILED) 0] [zk: localhost:2181(AUTH_FAILED) 0] 

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ella92 Ella Kurginyan
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: