Versions Compared

Old Version 3

changes.mady.by.user Rakesh Radhakrishnan

Saved on

compared with

New Version 4

changes.mady.by.user Rakesh Radhakrishnan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide describes how to enable secure communication between client and server using SASL mechanism. ZooKeeper supports Kerberos or DIGEST-MD5 as your authentication scheme.

JIRA and Source Code

This feature was added in ZooKeeper 3.4.0+ version and is available in all higher versions. ZOOKEEPER-938 is the JIRA issue, and the patch is available linked from that JIRA.

...

Code Block
titleClientCnxn.java
static class ServerSaslResponseCallback implements DataCallback {
  public void processResult(int rc, String path, Object ctx, byte data[], Stat stat) {
    // data[] contains the ZookeeperZooKeeper Server's SASL token.
    // ctx is the ClientCnxn object. We use this object's prepareSaslResponseToServer() method
    // to reply to the ZookeeperZooKeeper Server's SASL token
    ClientCnxn cnxn = (ClientCnxn)ctx;
    byte[] usedata = data;
    if (data != null) {
      LOG.debug("ServerSaslResponseCallback(): saslToken server response: (length="+usedata.length+")");
    }
    else {
      usedata = new byte[0];
      LOG.debug("ServerSaslResponseCallback(): using empty data[] as server response (length="+usedata.length+")");
    }
    cnxn.prepareSaslResponseToServer(usedata);
  }
}

...

Code Block
titleClientCnxn.java
private byte[] saslToken = new byte[0];

public void prepareSaslResponseToServer(byte[] serverToken) {
  saslToken = serverToken;

  LOG.debug("saslToken (server) length: " + saslToken.length);

  if (!(saslClient.isComplete() == true)) {
    try {
      saslToken = createSaslToken(saslToken, saslClient);
      if (saslToken != null) {
        LOG.debug("saslToken (client) length: " + saslToken.length);
        queueSaslPacket(saslToken);
      }

      if (saslClient.isComplete() == true) {
        LOG.info("SASL authentication with ZookeeperZooKeeper server is successful.");
      }
    } catch (SaslException e) {
       LOG.error("SASL authentication failed.");
    }
  }
}

...

Note that the passwords in the above are in plain text, so the JAAS configuration file should not be readable by anyone other than the Zookeeper ZooKeeper server process user.

Client Configuration

This is similar to the Zookeeper ZooKeeper server configuration, except there is no zoo.cfg for the client.

...

Note that the keytab file given in the keyTab section should not be readable by anyone other than the Zookeeper ZooKeeper client process user.

JAAS configuration file: DIGEST-MD5 authentication

...