kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhu fangbo (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KAFKA-5616) unable perform a rolling upgrade from a non-secure to a secure Kafka cluster
Date Fri, 21 Jul 2017 01:17:00 GMT

     [ https://issues.apache.org/jira/browse/KAFKA-5616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

zhu fangbo updated KAFKA-5616:
------------------------------
    Description: 
I want to upgrade my unsecure kafka cluster to a secure one whitch support SASL_PLAINT protocol,
but I failed to perfrom rolling upgrade. The only way I found to upgrade is to shutdown all
brokers first and then restart all brokers with inter-broker security configured

h3. Before upgrade
Here is the secure configuration of broker 1:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
sasl.enabled.mechanisms=PLAIN
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin{quote}
I want to setup a cluster support both unsecure and secure client-broker connect, so i add
a new endpoint to listeners with port  = 9099

h3. Start rolling upgrade
First, I restart broker-1 which is not the controller. below is part of  server.log shows
start complete:
!http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg!

seemed well, but there are no log print to show the replicamanger was started,and broker1
not go back to the ISR
!http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|align=left, height=200,width=800!

Besides, the preferred replica leader election was also failed
!http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|align=left, height=200,width=800!

h3. After rolling upgrade for all brokers
 After upgrade all brokers, it seems each broker can not connect to other brokers
!http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg|align=left, height=200,width=800!

I restart broker 2 at last which is the controller, then broker 3 came to be controller, and
it also failed to perform preferred replica leader election
!http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|align=left, height=200,width=800!

h3. Shutdown all and restart 
The cluster works well when  I shutdown all brokers and restart all with inter-broker security
configurations like this:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
#advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN{quote}

replica fetch thread was started
!http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|align=left, height=200,width=800!

and ISR was normal
!http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|align=left, height=200,width=800!





  was:
I want to upgrade my unsecure kafka cluster to a secure one whitch support SASL_PLAINT protocol,
but I failed to perfrom rolling upgrade. The only way I found to upgrade is to shutdown all
brokers first and then restart all brokers with inter-broker security configured

h3. Before upgrade
Here is the secure configuration of broker 1:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
sasl.enabled.mechanisms=PLAIN
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin{quote}
I want to setup a cluster support both unsecure and secure client-broker connect, so i add
a new endpoint to listeners with port  = 9099

h3. Start rolling upgrade
First, I restart broker-1 which is not the controller. below is part of  server.log shows
start complete:
!http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|align=left, height=200,width=800, vspace=1!

seemed well, but there are no log print to show the replicamanger was started,and broker1
not go back to the ISR
!http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|align=left, height=200,width=800!

Besides, the preferred replica leader election was also failed
!http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|align=left, height=200,width=800!

h3. After rolling upgrade for all brokers
 After upgrade all brokers, it seems each broker can not connect to other brokers
!http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg|align=left, height=200,width=800!

I restart broker 2 at last which is the controller, then broker 3 came to be controller, and
it also failed to perform preferred replica leader election
!http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|align=left, height=200,width=800!

h3. Shutdown all and restart 
The cluster works well when  I shutdown all brokers and restart all with inter-broker security
configurations like this:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
#advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN{quote}

replica fetch thread was started
!http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|align=left, height=200,width=800!

and ISR was normal
!http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|align=left, height=200,width=800!






> unable perform a rolling upgrade from a non-secure to a secure Kafka cluster
> ----------------------------------------------------------------------------
>
>                 Key: KAFKA-5616
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5616
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 0.10.1.1
>            Reporter: zhu fangbo
>
> I want to upgrade my unsecure kafka cluster to a secure one whitch support SASL_PLAINT
protocol, but I failed to perfrom rolling upgrade. The only way I found to upgrade is to shutdown
all brokers first and then restart all brokers with inter-broker security configured
> h3. Before upgrade
> Here is the secure configuration of broker 1:
> {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
> sasl.enabled.mechanisms=PLAIN
> authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
> super.users=User:admin{quote}
> I want to setup a cluster support both unsecure and secure client-broker connect, so
i add a new endpoint to listeners with port  = 9099
> h3. Start rolling upgrade
> First, I restart broker-1 which is not the controller. below is part of  server.log shows
start complete:
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg!
> seemed well, but there are no log print to show the replicamanger was started,and broker1
not go back to the ISR
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|align=left, height=200,width=800!
> Besides, the preferred replica leader election was also failed
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|align=left, height=200,width=800!
> h3. After rolling upgrade for all brokers
>  After upgrade all brokers, it seems each broker can not connect to other brokers
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg|align=left, height=200,width=800!
> I restart broker 2 at last which is the controller, then broker 3 came to be controller,
and it also failed to perform preferred replica leader election
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|align=left, height=200,width=800!
> h3. Shutdown all and restart 
> The cluster works well when  I shutdown all brokers and restart all with inter-broker
security configurations like this:
> {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
> #advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.mechanism.inter.broker.protocol=PLAIN{quote}
> replica fetch thread was started
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|align=left, height=200,width=800!
> and ISR was normal
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|align=left, height=200,width=800!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message