Versions Compared

Old Version 5

changes.mady.by.user Mate Szalay-Beko

Saved on

compared with

New Version Current

changes.mady.by.user Mate Szalay-Beko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Server Configuration

conf/zoo.cfg

requireClientAuthScheme=sasl is optional: if it is set to any value, it will only allow non-authenticated clients to ping, create session, close session, or sasl-authenticate.You need to define the SASL authentication provider class in your server config. You can also set a few optional configuration parameter for SASL:

Code Block
titlezoo.cfg
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

# optional SASL related server-side properties:

# you can instruct ZooKeeper to remove the host from the client principal name during authentication
# (e.g. zk/myhost@EXAMPLE.COM client principal will be authenticated in 
# ZooKeeper as zk@EXAMPLE.COM )
# kerberos.removeHostFromPrincipal=true

# you can instruct ZooKeeper to remove the realm from the client principal name during authentication
# (e.g. zk/myhost@EXAMPLE.COM client principal will be authenticated in
# ZooKeeper as zk/myhost 
# kerberos.removeHostFromPrincipal=true

# instructing ZooKeeper server to renew it's kerberos ticket once in every hour
# jaasLoginRenew=3600000

# if requireClientAuthScheme is set to any value, it will only allow non-authenticated 
# clients to ping, create session, close session, or sasl-authenticate
# requireClientAuthScheme=sasl authenticated in ZooKeeper as zk/myhost)
# kerberos.removeRealmFromPrincipal=true

conf/java.env

Code Block
titlejava.env
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/path/to/server/jaas/file.conf"

...

Code Block
titlejava.env
# REQUIRED SASL RELATED CONFIGS:
# ==== java.security.auth.login.config:
# Defining your client side JAAS config file path:
CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Djava.security.auth.login.config=/path/to/client/jaas/file.conf"



# OPTIONAL SASL RELATED CONFIGS:

# ==== zookeeper.sasl.client:
# You can disable SASL authentication on the client side (it is true by default):
# CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Dzookeeper.sasl.client=false"


# ==== zookeeper.server.principal:
# Setting the server principal of the ZooKeeper service. If this configuration is provided, then
# the ZooKeeper client will NOT USE any of the following parameters to determine the server principal: 
# zookeeper.sasl.client.username, zookeeper.sasl.client.canonicalize.hostname, zookeeper.server.realm
# Note: this config parameter is working only for ZooKeeper 3.5.7+, 3.6.0+ 
# CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Dzookeeper.server.principal=zookeeper@EXAMPLE.COM"


# ==== zookeeper.sasl.serverclient.principalusername:
# Setting the 'user' part of the server principal of the ZooKeeper service, expectingassuming the 
# zookeeper.server.principal parameter is not provided. When you have zookeeper/myhost@EXAMPLE.COM 
# defined in your server side SASL config, then use:
# CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Dzookeeper.sasl.client.username=zookeeper"


# ==== zookeeper.sasl.client.canonicalize.hostname:
# ExpectingAssuming the zookeeper.server.principal parameter is not provided, the ZooKeeper client will try to
# determine the 'instance' (host') part of the ZooKeeper server principal. First it takes the hostname provided 
# as the ZooKeeper server connection string. Then it tries to 'canonicalize' the address by getting
# the fully qualified domain name belonging to the address. You can disable this 'canonicalization'
# using the following config:
# CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Dzookeeper.sasl.client.canonicalize.hostname=false"


# ==== zookeeper.server.realm:
# Setting the 'realm' part of the server principal of the ZooKeeper service, expectingassuming the 
# zookeeper.server.principal parameter is not provided. By default, in this case the ZooKeeper Client 
# will use its own realm. You can override this, e.g. Whenwhen you have zookeeper/myhost@EXAMPLE.COM 
# defined in your server side SASL config, then use:
# CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Dzookeeper.server.realm=EXAMPLE.COM"


# ==== zookeeper.sasl.clientconfig:
# you can have multiple contexts defined in a JAAS.conf file. ZooKeeper client is using the section
# named as 'Client' by default. You can override it if you wish, by using:
# CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Dzookeeper.sasl.clientconfig=Client"

...