Zoo keeper SASL security

Question

I'm using zookeeper 3.4.12 version and when trying to enable SASL found below error. Can someone help on this.

Client {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 storeKey=true
 useTicketCache=true
 keyTab="/tmp/kafka/zookeeper.service.keytab
 principal="zookeeper/chefclient.xyz.local@XYZ.LOCAL";
};

Error :

2018-11-02 09:35:01,998] ERROR SASL authentication failed using login context 'Client' with exception: {} (org.apache.zookeeper.client.ZooKeeperSaslClient) javax.security.sasl.SaslException: Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null

Answer 1

I was experiencing the same problem...

SaslException: Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null

This error was also in the Zookeeper Server log:

ERROR [NIOWorkerThread-6:ZooKeeperServer@1191] - cnxn.saslServer is null: cnxn object did not initialize its saslServer properly.

My configuration, using mutual kerberos authentication between zookeeper instances.

The solution

Missing "Server" Section

My problem was that I didn't have the Server section present in my server jaas configuration for Zookeeper.

I need something like:

QuorumServer {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/zookeeper.keytab"
       storeKey=true
       useTicketCache=false
       debug=false
       principal="zookeeper/zk1.example.com@EXAMPLE.COM";
};

QuorumLearner {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/zookeeper.keytab"
       storeKey=true
       useTicketCache=false
       debug=false
       principal="zookeeper/zk2.example.com@EXAMPLE.COM";
};

Server {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/zookeeper.keytab"
       storeKey=true
       useTicketCache=false
       principal="zookeeper/zk3.example.com@EXAMPLE.COM";
};

When clients connect to Zookeeper they will authenticate against the Server section of this configuration. This is required for SASL to work.

Also make sure you have conf/java.env set with something like:

SERVER_JVMFLAGS="${SERVER_JVMFLAGS} -Djava.security.auth.login.config=/opt/zookeeper/conf/server-jaas.conf"
CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Djava.security.auth.login.config=/opt/zookeeper/conf/client-jaas.conf"

Answer 2

I think the problem is, you are missing a double quotation mark at

keyTab="/tmp/kafka/zookeeper.service.keytab

Answer 3

Issue is fixed, spaces in jaas were causing the problem

Answer 4

First step in Zookeeper security is to secure quorum peers communication. Complete explanation here.

Your Zookeeper jaas file should have QuorumServer and QuorumLearner sections.

Next, you can secure communication between Zookeeper cluster and clients as Kafka. Full explanation here

You add a Server section in Zookeeper jaas file and your Kafka jaas file should have a Client section