Return-Path: X-Original-To: apmail-curator-user-archive@minotaur.apache.org Delivered-To: apmail-curator-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE1DF18917 for ; Wed, 16 Dec 2015 20:35:48 +0000 (UTC) Received: (qmail 83002 invoked by uid 500); 16 Dec 2015 20:35:48 -0000 Delivered-To: apmail-curator-user-archive@curator.apache.org Received: (qmail 82929 invoked by uid 500); 16 Dec 2015 20:35:48 -0000 Mailing-List: contact user-help@curator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@curator.apache.org Delivered-To: mailing list user@curator.apache.org Received: (qmail 82836 invoked by uid 99); 16 Dec 2015 20:35:48 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Dec 2015 20:35:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B308EC77B9 for ; Wed, 16 Dec 2015 20:35:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.001 X-Spam-Level: *** X-Spam-Status: No, score=3.001 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=jordanzimmerman-com.20150623.gappssmtp.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id avdh3hH4l-FN for ; Wed, 16 Dec 2015 20:35:38 +0000 (UTC) Received: from mail-pa0-f49.google.com (mail-pa0-f49.google.com [209.85.220.49]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 92C0620426 for ; Wed, 16 Dec 2015 20:35:38 +0000 (UTC) Received: by mail-pa0-f49.google.com with SMTP id q3so9202397pav.3 for ; Wed, 16 Dec 2015 12:35:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jordanzimmerman-com.20150623.gappssmtp.com; s=20150623; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=7e7P0W+PSLkyvqZnVjm1jMUDsnC2UuMavb4kPKNbG+g=; b=QGsD10xnNmHHpXg45yG7zRyWkioaDXwpu5yaXbssIn7/1N7hVQooATC3zRiH6YrQsn kuVb/cgkviFsZRO9UR1JdqR2AWOyx5vqzxbMVV1OyglsuMFMvdmqsDrSS835FoTUh0sF gwYlGls/ZhnwrMnyV3g1oBLl/Veq6Uc67h3LrLvaBWRdePfsrUj76vTG60HDgmBYV0kS U/et53CUr4xE335NcI7h82/P7En5mbtbPTEWHWmIEmTDD5vJhBXItnz+rcc0d6n1LCES 7hqIINH5CojWAhldD+iAJ1Xkd77J0jcydFEpdkc8zadtERnzJr5VToNYUXWvj7NbEtXb 4oWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:message-id:mime-version :subject:date:references:to:in-reply-to; bh=7e7P0W+PSLkyvqZnVjm1jMUDsnC2UuMavb4kPKNbG+g=; b=Pol1aD/V5+O3aEhA+3h2bn2SrDn0tTutvHsiGYygH6I5y6JW0OiKQBF6LK4hSnew+y qarSb14db4cvT/vpQNIotnfAa3AdqSQfJCz3PQHc8xbJJ0WfW5FmsSYdzbSQkSunvRtk w9S64khnOUIWRHHmGhEzM4Gm2ThYQs0b09jVoxljIewHF32/PLVOJ0bVO+/DXDfWlQKt AXokZ2KmFOdoiC83df79T7sEgJCktr11RGbpoo7HL4IradWjxLEyQ5PCNiPgfld3Zm31 XBWuknDSGUMnFVYewG9Tpip5Pks4UaHmSrOY8C9DIqR2pH66Xz47AwPPHhD6F6kCMUMx rG3Q== X-Gm-Message-State: ALoCoQnFI1VqMJJAdNKgY9CaLtHLsj8qlGyRGY/CMIODhUeazpadZM/IsXTn/CtolTAFd7RWMAP3DkGDpl36yIz39hPNtaOHZA== X-Received: by 10.66.193.73 with SMTP id hm9mr66709360pac.117.1450298138089; Wed, 16 Dec 2015 12:35:38 -0800 (PST) Received: from [10.0.1.67] ([186.188.195.79]) by smtp.gmail.com with ESMTPSA id 79sm6666785pfk.33.2015.12.16.12.35.36 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 16 Dec 2015 12:35:37 -0800 (PST) From: Jordan Zimmerman Content-Type: multipart/alternative; boundary="Apple-Mail=_7416B5B9-19BF-40A6-963D-C4A556484D2F" Message-Id: <29956895-E3DF-41A3-B93C-08CDD3B0DC74@jordanzimmerman.com> Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: multiple curator frameworks mixed authentication modes Date: Wed, 16 Dec 2015 15:35:36 -0500 References: <9BE4535F-750E-4870-ADF8-8342F38DB426@jordanzimmerman.com> To: user@curator.apache.org In-Reply-To: X-Mailer: Apple Mail (2.3112) --Apple-Mail=_7416B5B9-19BF-40A6-963D-C4A556484D2F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 That stuff happens inside of ZooKeeper.java itself right? If so = there=E2=80=99s nothing Curator can do about it. Maybe ask on the ZK = list? > On Dec 16, 2015, at 3:00 PM, Dave Ariens = wrote: >=20 > Sorry, don't follow. Let me try and re-phrase: >=20 > If I launch a JVM with -Djava.security.auth.login.config=3Djaas.conf >=20 > and that jaas.conf contains: >=20 > Client { > com.sun.security.auth.module.Krb5LoginModule required > useKeyTab=3Dtrue > keyTab=3D"dariens.keytab" > storeKey=3Dtrue > useTicketCache=3Dfalse > serviceName=3D"zookeeper" > debug=3Dtrue > principal=3D"dariens@MY.EXAMPLE "; > }; >=20 > When my application starts I instantiate a CuratorFramework object = connection to a ZK cluster that authenticates new connections via = SASLAuthenticationProvider and of course this works as expected. =20 >=20 > I now need to instantiate another new CuratorFramework object to = another ZK cluster that does not perform SASL authentication and any = attempt to get/set data results in the errors below. >=20 > Is there a configuration that I can apply when instantiating = CuratorFrameworks that will not automatically use SaslAuthentication = when a JAAS login context is present? >=20 > [2015-12-16 19:47:15,427] ERROR An error: = (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's received SASL token. Zookeeper Client will go = to AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient) > [2015-12-16 19:47:15,427] ERROR SASL authentication with Zookeeper = Quorum member failed: javax.security.sasl.SaslException: An error: = (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's received SASL token. Zookeeper Client will go = to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn) > [2015-12-16 19:47:15,427] ERROR Authentication failed = (org.apache.curator.ConnectionState) >=20 >=20 >=20 >=20 >=20 > From: Jordan Zimmerman [jordan@jordanzimmerman.com] > Sent: Wednesday, December 16, 2015 2:39 PM > To: user@curator.apache.org > Subject: Re: multiple curator frameworks mixed authentication modes >=20 > Check your code. There are no static/global values in Curator. >=20 > -JZ >=20 >> On Dec 16, 2015, at 2:29 PM, Dave Ariens > wrote: >>=20 >> My Java application needs to talk to two ZK clusters. >>=20 >> Cluster one is configured with = `authProvider.1=3Dorg.apache.zookeeper.server.auth.SASLAuthenticationProvi= der SASLAuthenticationProvider` and cluster two is not. >>=20 >> At first glance it would appear that this isn't possible as all = curator frameworks instantiated in my JVM are attempting to perform SASL = authentication when the JVM is launched with the JAAS configuration = containing 'Client' configuration. >>=20 >> Any chance I'm missing something or is this a known restriction? --Apple-Mail=_7416B5B9-19BF-40A6-963D-C4A556484D2F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
That stuff happens inside of ZooKeeper.java = itself right? If so there=E2=80=99s nothing Curator can do about it. = Maybe ask on the ZK list?

On Dec 16, 2015, at 3:00 PM, = Dave Ariens <dariens@blackberry.com> wrote:

Sorry, don't = follow.  Let me try and re-phrase:

If = I launch a JVM with -Djava.security.auth.login.config=3Djaas.conf

and that jaas.conf contains:

Client {
  = com.sun.security.auth.module.Krb5LoginModule required
 = useKeyTab=3Dtrue
  keyTab=3D"dariens.keytab"
  storeKey=3Dtrue
  = useTicketCache=3Dfalse
  serviceName=3D"zookeeper"
  debug=3Dtrue
  principal=3D"dariens@MY.EXAMPLE";
};

When my application starts I = instantiate a CuratorFramework object connection to a ZK cluster that = authenticates new connections via SASLAuthenticationProvider and of = course this works as expected.  

I now need to instantiate another new CuratorFramework object = to another ZK cluster that does not perform SASL authentication and any = attempt to get/set data results in the errors below.

Is there a configuration that I can apply when instantiating = CuratorFrameworks that will not automatically use SaslAuthentication = when a JAAS login context is present?

[2015-12-16 19:47:15,427] ERROR An error: = (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's  received SASL token. Zookeeper Client = will go to AUTH_FAILED state. = (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2015-12-16 19:47:15,427] ERROR SASL authentication with = Zookeeper Quorum member failed: javax.security.sasl.SaslException: An = error: (java.security.PrivilegedActionException: = javax.security.sasl.SaslException: GSS initiate failed [Caused by = GSSException: No valid credentials provided (Mechanism level: Fail to = create credential. (63) - No service creds)]) occurred when evaluating = Zookeeper Quorum Member's  received SASL token. Zookeeper Client = will go to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn)
[2015-12-16 19:47:15,427] ERROR Authentication failed = (org.apache.curator.ConnectionState)





From: Jordan Zimmerman [jordan@jordanzimmerman.com]
Sent: Wednesday, December 16, = 2015 2:39 PM
To: user@curator.apache.org
Subject: Re: multiple curator = frameworks mixed authentication modes

Check your code. There are no static/global values in = Curator.

-JZ

On Dec 16, 2015, at 2:29 PM, = Dave Ariens <dariens@blackberry.com> wrote:

My Java application needs to talk to two ZK = clusters.

Cluster one is configured with = `authProvider.1=3Dorg.apache.zookeeper.server.auth.SASLAuthenticationProvi= der SASLAuthenticationProvider` and cluster two is not.

At first glance it would appear that this isn't possible as = all curator frameworks instantiated in my JVM are attempting to perform = SASL authentication when the JVM is launched with the JAAS configuration = containing 'Client' configuration.

Any = chance I'm missing something or is this a known = restriction?

= --Apple-Mail=_7416B5B9-19BF-40A6-963D-C4A556484D2F--