.. _zk-security:

|zk| Security
=============

You can enable security in |zk| by using the examples below. For a complete |cp| 
security example, see the :ref:`security_tutorial`.

.. note::

    When authenticating brokers with |zk|, set ``zookeeper.set.acl=true`` for all 
    brokers. If you accept the default (``zookeeper.set.acl=false``), then no ACLs 
    are created and |zk| authentication is not enforced.

Enable |zk| Authentication with SASL
------------------------------------

Enable |zk| authentication with SASL by using one of these methods.

-  Add the following to ``zookeeper.properties`` to enable SASL while still allowing connection without authentication:

   ::

      authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider 

-  Add the following to |zk| JVM command line:

   ::
   
      -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider


Require All Connections to use SASL Authentication
--------------------------------------------------

Add the requirement that all connections must use SASL authentication by using one of these methods.

-  Add the following to ``zookeeper.properties`` :

   ::

      requireClientAuthScheme=sasl

-  Add the following to |zk| JVM command line:

   ::

      -Dzookeeper.requireClientAuthScheme=sasl

SASL with Digest-MD5
--------------------

Here is an example of a |zk| node JAAS file:

::

   Server {
          org.apache.zookeeper.server.auth.DigestLoginModule required
          user_super="adminsecret"
          user_bob="bobsecret";
   };

Here is an example of a |zk| client JAAS file, including brokers and admin scripts like kafka-topics:

::

   Client {
          org.apache.zookeeper.server.auth.DigestLoginModule required
          username="bob"
          password="bobsecret";
   };

If your |ak| broker already has a JAAS file, this section must be added to it.

SASL with Kerberos
------------------

Here is an example of |zk| node JAAS file:

::

   Server {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/server/keytab"
       storeKey=true
       useTicketCache=false
       principal="zookeeper/yourzkhostname@EXAMPLE.COM";
   };

Here is an example of a |zk| client JAAS file, including brokers and admin scripts like kafka-topics:

::

   Client {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       storeKey=true
       keyTab="/etc/security/keytabs/kafka_server.keytab"
       principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
   };

.. note::
   Before starting |zk|, check the JAAS syntax and keytab permissions. The most 
   common errors that prevent the server from starting are JAAS syntax errors or 
   permissions set incorrectly on the keytab file.