How to force SASL on all Zookeeper connections
I have a recent zookeeper build (version=3.4.3-1240972, built on 02/06/2012 10:48 GMT), and am having trouble forcing SASL to be used on all client connections.
Using the local conf/ directory of the release, I have the following configuration (running on Ubuntu 12.04):
conf/zoo.cfg
tickTime=2001
initLimit=10
syncLimit=5
dataDir=/tmp/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
conf/jaas.conf
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_super="1adminsecret";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="super"
password="1adminsecret";
};
conf/java.env
export JVMFLAGS="-Djava.security.auth.login.config=`pwd`/conf/jaas.conf"
When I connect from the zkCli.sh script, it will auth properly, and changing the jaas.conf file will cause it to not be able to query. This is expected behavior.
However, when I use the ruby "zookeeper" gem, and run (with irb):
require 'zookeeper'
z = Zookeeper.new("localhost:2181")
z.get_children(:path => "/")
z.create(path:'/asdf', data:'test')
it returns results properly. If I'm requiring SASL for login, how come the ruby client is bypassing security. I know it isn't just a read vs. write issue, as I can also create keys as well.
Answer
In conf/zoo.cfg, add the line,
requireClientAuthScheme=sasl
From the Server Configuration section here,
requireClientAuthScheme=sasl is optional: if it is set to any value, it will only allow non-authenticated clients to ping, create session, close session, or sasl-authenticate.