ZooKeeper SASL support

更新时间:
复制 MD 格式

By default, ZooKeeper clusters do not enforce identity authentication. This exposes your cluster data to any client on the network, creating a significant security risk. To enhance the security of your cluster data, you can use Microservices Engine (MSE) to configure and enforce Simple Authentication and Security Layer (SASL) authentication. MSE for ZooKeeper supports the DIGEST-MD5 mechanism, which authenticates clients with a username and password. You can configure user credentials on the server and enable an enforcement switch to require all clients to authenticate.

Prerequisites

Create a ZooKeeper engine, version 3.8.0.7 or later. If your engine is an earlier version, see Upgrade a ZooKeeper engine version.

Procedure

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Microservices Registry > Instances. Click the name of the instance.

  3. In the left-side navigation pane, choose Authentication Management.

  4. On the Authentication Management page, click Create User. In the Create User panel, enter a Username, Password, and Confirm Password, and then click Confirm and Restart Instance.

    After the cluster restarts, the new user identity configuration takes effect.
  5. In the Actions column for the user, click Copy Configuration. Add the password to the copied configuration and save it as a file on your client.

  6. For Java applications that use the native ZooKeeper SDK or CuratorFramework:

    1. When you start the Java application, specify the location of the configuration file by adding the following system property:

      -Djava.security.auth.login.config=/path  // Replace /path with the actual file path.
    2. Restart the application. The client automatically reads the configuration and authenticates.

      Note
      • For Java clients, use ZooKeeper SDK version 3.4 or later.

      • For clients in other languages, refer to the corresponding SDK documentation.

  7. After configuring all clients, in the left-side navigation pane, choose Parameter Settings. On the Parameter Settings page, set AuthEnabled to true. This enables the server to enforce SASL identity authentication for all clients.

    Note

    Setting AuthEnabled to true prevents unauthenticated clients from sending requests to the server.