Configure SASL authentication for ZooKeeper instances - Microservices Engine

By default, Microservices Engine (MSE) ZooKeeper instances do not enforce identity authentication, which means any client on the network can read and write instance data. To restrict access, enable Simple Authentication and Security Layer (SASL) authentication. MSE ZooKeeper supports SASL with the DIGEST-MD5 mechanism, where clients authenticate with a username and password.

How it works

SASL authentication on MSE ZooKeeper has two parts:

Server side (MSE console): Create authentication users and enable the AuthEnabled parameter. After the instance restarts, unauthenticated clients are rejected.
Client side (your application): Save a JAAS configuration file with the username and password, then pass the file path to the JVM at startup. The ZooKeeper client SDK handles the SASL handshake automatically.

Prerequisites

Before you begin, make sure that you have:

A ZooKeeper engine running version 3.8.0.7 or later. To create one, see Create a ZooKeeper engine. To upgrade an existing engine, see Upgrade a ZooKeeper version
For Java clients, ZooKeeper SDK version 3.4 or later

Step 1: Create an authentication user

Log on to the MSE console.
In the left-side navigation pane, choose Microservices Registry > Instances. Click the name of the instance.
In the left-side navigation pane, click Authentication Management.
Click Create User. Configure the following parameters:
Parameter Description
Username The username for client authentication.
Password The password for client authentication.
Confirm Password Re-enter the password to confirm.
Click Confirm and Restart Instance. The instance restarts and the new user takes effect immediately.

Parameter	Description
Username	The username for client authentication.
Password	The password for client authentication.
Confirm Password	Re-enter the password to confirm.

Step 2: Configure SASL on the client

On the Authentication Management page, find the user and click Copy Configuration in the Actions column.
Paste the copied content into a new file on the client machine and add the password manually.
For applications that use the ZooKeeper native SDK for Java or CuratorFramework, pass the JAAS file path as a JVM system property at startup: Replace /path with the actual location of your JAAS configuration file.
```
-Djava.security.auth.login.config=/path
```
Restart the application. The ZooKeeper client reads the JAAS file and authenticates on connection.

Note

If your client uses a language other than Java, refer to the corresponding SDK documentation for SASL configuration instructions.

Step 3: Enable SASL enforcement

After you verify that your clients can authenticate successfully:

In the left-side navigation pane of the MSE console, click Parameter Settings.
Set AuthEnabled to true.

Important

After you set AuthEnabled to true, any client that fails SASL authentication is denied access to the instance. Before you enable this parameter, verify that all client applications authenticate successfully to avoid service disruptions.