All Products
Search

This Product

    Microservices Engine:SASL for ZooKeeper instances

    Document Center

    Microservices Engine:SASL for ZooKeeper instances

    Last Updated:May 29, 2024

    By default, ZooKeeper instances do not perform forced identity authentication. As a result, instance data is exposed in the network, and all clients can access the data. This poses a potential security risk. Microservices Engine (MSE) allows you to configure the Simple Authentication and Security Layer (SASL) authentication mechanism and enable forced identity authentication for ZooKeeper instances to improve data security. MSE ZooKeeper instances support SASL authentication based on an MD5 digest. This way, MSE ZooKeeper instances authenticate clients by using usernames and passwords. You can configure identity information on the server and enable identity authentication. This way, clients can access the server by using only the identity information.

    Prerequisites

    A ZooKeeper engine of V3.8.0.7 or later is created. For more information about how to create a ZooKeeper engine, see Create a ZooKeeper engine. For more information about how to upgrade the engine version, see Upgrade a ZooKeeper version.

    Procedure

    1. Log on to the MSE console.

    2. In the left-side navigation pane, choose Microservices Registry > Instances. Click the name of the instance.

    3. In the left-side navigation pane, click Authentication Management.

    4. On the Authentication Management page, click Create User. On the Create User page, configure the Username, Password, and Confirm Password parameters, and click Confirm and Restart Instance.

      The configured identity information takes effect immediately after you restart the MSE ZooKeeper instance.

    5. Find the desired user and click Copy Configuration in the Actions column. Manually add the password to the copied configuration and save the configuration in a file on the client.

    6. Perform the following operations for applications that use ZooKeeper native SDK for Java or CuratorFramework:

      1. If an existing configuration file is saved in /path, specify the system property when the Java application starts. 

        -Djava.security.auth.login.config=/path  // Configure the path in which the configuration file is saved.

      2. After the application is restarted, the client automatically reads the configuration for authentication.

        Note

        • If you use a Java client, make sure that the version of the ZooKeeper instance is V3.4 or later.

        • If you use a client that uses other programming languages, perform the configurations by following the instructions in the related SDK documentation.

    7. Click Parameter Settings in the left-side navigation pane. On the Parameter Settings page, set the AuthEnabled parameter to true to enable SASL authentication.

      Note

      If you set the AuthEnabled parameter to true, clients that fail SASL authentication cannot access the server.