Return-Path: X-Original-To: apmail-curator-user-archive@minotaur.apache.org Delivered-To: apmail-curator-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E43EC18BCA for ; Wed, 16 Dec 2015 21:22:17 +0000 (UTC) Received: (qmail 35585 invoked by uid 500); 16 Dec 2015 21:22:17 -0000 Delivered-To: apmail-curator-user-archive@curator.apache.org Received: (qmail 35538 invoked by uid 500); 16 Dec 2015 21:22:17 -0000 Mailing-List: contact user-help@curator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@curator.apache.org Delivered-To: mailing list user@curator.apache.org Received: (qmail 35528 invoked by uid 99); 16 Dec 2015 21:22:17 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Dec 2015 21:22:17 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 35A7EC59D9 for ; Wed, 16 Dec 2015 21:22:17 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3 X-Spam-Level: *** X-Spam-Status: No, score=3 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=jordanzimmerman-com.20150623.gappssmtp.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id ksdY_4QwN0EX for ; Wed, 16 Dec 2015 21:22:07 +0000 (UTC) Received: from mail-pa0-f43.google.com (mail-pa0-f43.google.com [209.85.220.43]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 91C2A20464 for ; Wed, 16 Dec 2015 21:22:07 +0000 (UTC) Received: by mail-pa0-f43.google.com with SMTP id q3so9761484pav.3 for ; Wed, 16 Dec 2015 13:22:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jordanzimmerman-com.20150623.gappssmtp.com; s=20150623; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=4gbj8dRiZuBeMvytQ9j5gEGOAgmg2Ey4VHidjonnT14=; b=pCNbdXwpSaXoi7wSNA81NWl5QI9nn2eTev9orQNcEL8EsLQ1XA8jJbhxBJ38Bi0Xpr TJcX17aBghjrt2DoyeOLMfG2BQ55p66PwmUW2iPGq000YYmCdYbcc6Y12qrFtXrmK1pj /x5oODomxcFIT8XI7mE7NuyWFFLu4E6jqVM+gcAYXOYK4wZzpRUUUKTTzrwimt/TLmeo 8vgneZ5ihGP135QJU/yE1Uiu8iJz3VBWG/2/Fd4hWgIjKUKfL1QdsJ1pJmIg9c4ueLZH eDGhPRS1jFaE4udTxrMP2CSfR9oHSB8BoZDofNvsLqOBrPQk5Sbno2gnN1MDCITUg/Ke 3NLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:message-id:mime-version :subject:date:references:to:in-reply-to; bh=4gbj8dRiZuBeMvytQ9j5gEGOAgmg2Ey4VHidjonnT14=; b=Jq0q3k92vT87U/JAEhtXCinf33yo9EB1xmoDgzq1cfkxhuVIPsWsLYYvYvPIMyhfwn BZY4mQAvWIwNBVVrQ26XLfzcfT84Z4AO2JH3Abqyq1+qz6QGuTixAoordFJmx0nLz0Ti WRTZoa0murq/MPG/0+4OgIh2isCLaaDOzyYc7U9xaapkKtsU1Z2XWvnQlXCPixfjlpKN bxsXkd4PyHTDSM3DfrzXpyUxO4ekptCHX0KcTeh3dFZZ4P1ROfjn184Y6Gg7TV0hynCQ xr2w6EA/TlCYOd7tOru2CRd6aaoxIyp60L+U9Z16j8bad+e5+RZcSwAyDEv+lSJsZMgh fPSg== X-Gm-Message-State: ALoCoQnaSaFcAFlV939fRNa5MokgGQ+QwjPKR/+9ju9ezVAXXqqXvcK9w3+q9iVJylZYN25I27ds2jeSeuQ7abihlou1EG+bxg== X-Received: by 10.67.22.137 with SMTP id hs9mr66844548pad.66.1450300927308; Wed, 16 Dec 2015 13:22:07 -0800 (PST) Received: from [10.0.1.67] ([186.188.195.79]) by smtp.gmail.com with ESMTPSA id t85sm6766884pfa.34.2015.12.16.13.22.05 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 16 Dec 2015 13:22:06 -0800 (PST) From: Jordan Zimmerman Content-Type: multipart/alternative; boundary="Apple-Mail=_21615BD5-BF06-4F83-B840-103557B9284F" Message-Id: <1FB116BE-76EE-4EE7-971D-464397055EB1@jordanzimmerman.com> Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: multiple curator frameworks mixed authentication modes Date: Wed, 16 Dec 2015 16:22:04 -0500 References: <9BE4535F-750E-4870-ADF8-8342F38DB426@jordanzimmerman.com> <827041D5-046B-4B40-A7CB-0068B2481670@jordanzimmerman.com> To: user@curator.apache.org In-Reply-To: X-Mailer: Apple Mail (2.3112) --Apple-Mail=_21615BD5-BF06-4F83-B840-103557B9284F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Actually, it may not be possible to do in Curator at all. What if two = threads are creating new Curator handles. There=E2=80=99s no way to make = this work in a concurrent way. This should be address in ZK itself I = think. -JZ > On Dec 16, 2015, at 4:15 PM, Cameron McKenzie = wrote: >=20 > Would that cause problems on an attempt to reconnect (doesn't Curator = recreate the ZK client under some circumstances?)? >=20 > On Thu, Dec 17, 2015 at 7:37 AM, Jordan Zimmerman = > wrote: > I just check in the ZK code. It does: >=20 > System.getProperty(Environment.JAAS_CONF_KEY) >=20 > So, just manual set/clear this property before creating the Curator = instance. >=20 > -JZ >=20 >> On Dec 16, 2015, at 3:00 PM, Dave Ariens > wrote: >>=20 >> Sorry, don't follow. Let me try and re-phrase: >>=20 >> If I launch a JVM with -Djava.security.auth.login.config=3Djaas.conf >>=20 >> and that jaas.conf contains: >>=20 >> Client { >> com.sun.security.auth.module.Krb5LoginModule required >> useKeyTab=3Dtrue >> keyTab=3D"dariens.keytab" >> storeKey=3Dtrue >> useTicketCache=3Dfalse >> serviceName=3D"zookeeper" >> debug=3Dtrue >> principal=3D"dariens@MY.EXAMPLE "; >> }; >>=20 >> When my application starts I instantiate a CuratorFramework object = connection to a ZK cluster that authenticates new connections via = SASLAuthenticationProvider and of course this works as expected. =20 >>=20 >> I now need to instantiate another new CuratorFramework object to = another ZK cluster that does not perform SASL authentication and any = attempt to get/set data results in the errors below. >>=20 >> Is there a configuration that I can apply when instantiating = CuratorFrameworks that will not automatically use SaslAuthentication = when a JAAS login context is present? >>=20 >> [2015-12-16 19:47:15,427] ERROR An error: = (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's received SASL token. Zookeeper Client will go = to AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient) >> [2015-12-16 19:47:15,427] ERROR SASL authentication with Zookeeper = Quorum member failed: javax.security.sasl.SaslException: An error: = (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's received SASL token. Zookeeper Client will go = to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn) >> [2015-12-16 19:47:15,427] ERROR Authentication failed = (org.apache.curator.ConnectionState) >>=20 >>=20 >>=20 >>=20 >>=20 >> From: Jordan Zimmerman [jordan@jordanzimmerman.com = ] >> Sent: Wednesday, December 16, 2015 2:39 PM >> To: user@curator.apache.org >> Subject: Re: multiple curator frameworks mixed authentication modes >>=20 >> Check your code. There are no static/global values in Curator. >>=20 >> -JZ >>=20 >>> On Dec 16, 2015, at 2:29 PM, Dave Ariens > wrote: >>>=20 >>> My Java application needs to talk to two ZK clusters. >>>=20 >>> Cluster one is configured with = `authProvider.1=3Dorg.apache.zookeeper.server.auth.SASLAuthenticationProvi= der SASLAuthenticationProvider` and cluster two is not. >>>=20 >>> At first glance it would appear that this isn't possible as all = curator frameworks instantiated in my JVM are attempting to perform SASL = authentication when the JVM is launched with the JAAS configuration = containing 'Client' configuration. >>>=20 >>> Any chance I'm missing something or is this a known restriction? >=20 >=20 --Apple-Mail=_21615BD5-BF06-4F83-B840-103557B9284F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Actually, it may not be possible to do in Curator at all. = What if two threads are creating new Curator handles. There=E2=80=99s no = way to make this work in a concurrent way. This should be address in ZK = itself I think.

-JZ

On Dec 16, 2015, at 4:15 PM, = Cameron McKenzie <mckenzie.cam@gmail.com> wrote:

Would that cause problems on an attempt to reconnect (doesn't = Curator recreate the ZK client under some circumstances?)?

On Thu, = Dec 17, 2015 at 7:37 AM, Jordan Zimmerman <jordan@jordanzimmerman.com> = wrote:
I just check in the ZK code. = It does:

System.getProperty(Environment.JAAS_CONF_KEY)

So, just manual set/clear this property before creating the = Curator instance.

-JZ

On Dec 16, 2015, at 3:00 PM, Dave Ariens = <dariens@blackberry.com> wrote:

Sorry, don't follow.  Let me try = and re-phrase:

If I launch a JVM with = -Djava.security.auth.login.config=3Djaas.conf

and that jaas.conf contains:

Client {
  = com.sun.security.auth.module.Krb5LoginModule required
 = useKeyTab=3Dtrue
  keyTab=3D"dariens.keytab"
  storeKey=3Dtrue
  = useTicketCache=3Dfalse
  serviceName=3D"zookeeper"
  debug=3Dtrue
  principal=3D"dariens@MY.EXAMPLE";
};

When my application starts I instantiate a CuratorFramework = object connection to a ZK cluster that authenticates new connections via = SASLAuthenticationProvider and of course this works as = expected.  

I now need to instantiate another new CuratorFramework object = to another ZK cluster that does not perform SASL authentication and any = attempt to get/set data results in the errors below.

Is there a configuration that I can apply when instantiating = CuratorFrameworks that will not automatically use SaslAuthentication = when a JAAS login context is present?

[2015-12-16 19:47:15,427] ERROR An error: = (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's  received SASL token. Zookeeper Client = will go to AUTH_FAILED state. = (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2015-12-16 19:47:15,427] ERROR SASL authentication with = Zookeeper Quorum member failed: javax.security.sasl.SaslException: An = error: (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's  received SASL token. Zookeeper Client = will go to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn)
[2015-12-16 19:47:15,427] ERROR Authentication failed = (org.apache.curator.ConnectionState)





From: Jordan = Zimmerman [jordan@jordanzimmerman.com]
Sent: Wednesday, December = 16, 2015 2:39 PM
To: user@curator.apache.org
Subject: Re: multiple = curator frameworks mixed authentication modes

Check your code. There are no static/global values in = Curator.

-JZ

On Dec 16, 2015, at 2:29 PM, = Dave Ariens <dariens@blackberry.com> = wrote:

My Java application needs to talk to two = ZK clusters.

Cluster one is configured with = `authProvider.1=3Dorg.apache.zookeeper.server.auth.SASLAuthenticationProvi= der SASLAuthenticationProvider` and cluster two is not.

At first glance it would appear that this isn't possible as = all curator frameworks instantiated in my JVM are attempting to perform = SASL authentication when the JVM is launched with the JAAS configuration = containing 'Client' configuration.

Any = chance I'm missing something or is this a known = restriction?



= --Apple-Mail=_21615BD5-BF06-4F83-B840-103557B9284F--