Behavioral Changes in ZooKeeper

Cloudera Runtime 7.3.2

ZooKeeper authentication enforcement

Previous behavior:

ZooKeeper client connections were accepted even when they did not authenticate. Anonymous clients could open sessions with the ZooKeeper ensemble, as long as they could reach the client port (for example, 2181). This meant that components and tools that did not use ZooKeeper authentication could still connect and operate, as long as ACLs and network controls (such as firewalls) allowed it.

New behavior:

When ZooKeeper authentication enforcement is enabled, the ZooKeeper server only accepts connections from clients that successfully authenticate (for example, using Kerberos/SASL). Components and clients that do not authenticate, or that fail authentication, can no longer establish a session with ZooKeeper and therefore cannot connect or operate through the unsecured client port. This change hardens ZooKeeper security, but requires that all ZooKeeper‑using components in the deployment be updated or configured to use authentication before enforcement is turned on.

Summary: The default values for the following configuration items are updated

Previous behavior:

Parameter name	Description	Default value
ip_version	Specifies the IP version the service must use for network communication. IPv4 - Uses IPv4 exclusively. IPv6 - Uses IPv6 exclusively. Dual-stack (IPv4 &IPv6) - Supports both IPv4 and IPv6, enabling communication over both protocols.	-
sessionRequireClientSASLAuth	ZooKeeper configuration to enforce Simple Authentication and Security Layer (SASL) authentication.	-

New behavior:

Parameter name	Description	Default value
ip_version	Specifies the IP version the service must use for network communication. IPv4 - Uses IPv4 exclusively. IPv6 - Uses IPv6 exclusively. Dual-stack (IPv4 &IPv6) - Supports both IPv4 and IPv6, enabling communication over both protocols.	IPV4
sessionRequireClientSASLAuth	ZooKeeper configuration to enforce Simple Authentication and Security Layer (SASL) authentication.	false