How to force SASL on all Zookeeper connections

I have a recent zookeeper build (version=3.4.3-1240972, built on 02/06/2012 10:48 GMT), and am having trouble forcing SASL to be used on all client connections.

Using the local conf/ directory of the release, I have the following configuration (running on Ubuntu 12.04):

conf/zoo.cfg

tickTime=2001
initLimit=10
syncLimit=5
dataDir=/tmp/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

conf/jaas.conf

Server {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    user_super="1adminsecret";
};
Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="super"
    password="1adminsecret";
};

conf/java.env

export JVMFLAGS="-Djava.security.auth.login.config=`pwd`/conf/jaas.conf"

When I connect from the zkCli.sh script, it will auth properly, and changing the jaas.conf file will cause it to not be able to query. This is expected behavior.

However, when I use the ruby "zookeeper" gem, and run (with irb):

require 'zookeeper'
z = Zookeeper.new("localhost:2181")
z.get_children(:path => "/")
z.create(path:'/asdf', data:'test')

it returns results properly. If I'm requiring SASL for login, how come the ruby client is bypassing security. I know it isn't just a read vs. write issue, as I can also create keys as well.

Solution 1:

In conf/zoo.cfg, add the line,

requireClientAuthScheme=sasl

From the Server Configuration section here,

requireClientAuthScheme=sasl is optional: if it is set to any value, it will only allow non-authenticated clients to ping, create session, close session, or sasl-authenticate.