Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 62967200CDA for ; Fri, 21 Jul 2017 03:19:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 5F74216ABE2; Fri, 21 Jul 2017 01:19:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7DB8016ABD5 for ; Fri, 21 Jul 2017 03:19:05 +0200 (CEST) Received: (qmail 17586 invoked by uid 500); 21 Jul 2017 01:19:04 -0000 Mailing-List: contact jira-help@kafka.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@kafka.apache.org Delivered-To: mailing list jira@kafka.apache.org Received: (qmail 17575 invoked by uid 99); 21 Jul 2017 01:19:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jul 2017 01:19:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 385C21806FC for ; Fri, 21 Jul 2017 01:19:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id GDX_XdbgrqAG for ; Fri, 21 Jul 2017 01:19:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id BFD885FD3F for ; Fri, 21 Jul 2017 01:19:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1BC8DE0DF0 for ; Fri, 21 Jul 2017 01:19:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2B87B21EE2 for ; Fri, 21 Jul 2017 01:19:00 +0000 (UTC) Date: Fri, 21 Jul 2017 01:19:00 +0000 (UTC) From: "zhu fangbo (JIRA)" To: jira@kafka.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (KAFKA-5616) unable perform a rolling upgrade from a non-secure to a secure Kafka cluster MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 21 Jul 2017 01:19:06 -0000 [ https://issues.apache.org/jira/browse/KAFKA-5616?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:all-tabpanel ] zhu fangbo updated KAFKA-5616: ------------------------------ Description:=20 I want to upgrade my unsecure kafka cluster to a secure one whitch support = SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way= I found to upgrade is to shutdown all brokers first and then restart all b= rokers with inter-broker security configured h3. Before upgrade Here is the secure configuration of broker 1=EF=BC=9A {quote}listeners=3DPLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:90= 99 sasl.enabled.mechanisms=3DPLAIN authorizer.class.name =3D kafka.security.auth.SimpleAclAuthorizer super.users=3DUser:admin{quote} I want to setup a cluster support both unsecure and secure client-broker co= nnect, so i add a new endpoint to listeners with port =3D 9099 h3. Start rolling upgrade First, I restart broker-1 which is not the controller. below is part of se= rver.log shows start complete: !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=3D200,width= =3D800,hspace=3D1,vspace=3D4! seemed well, but there are no log print to show the replicamanger was start= ed,and broker1 not go back to the ISR !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|align=3Dleft, height= =3D200,width=3D800! Besides, the preferred replica leader election was also failed !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|align=3Dleft, height= =3D200,width=3D800! h3. After rolling upgrade for all brokers After upgrade all brokers, it seems each broker can not connect to other b= rokers !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg|align=3Dleft, height= =3D200,width=3D800! I restart broker 2 at last which is the controller, then broker 3 came to b= e controller, and it also failed to perform preferred replica leader electi= on !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|align=3Dleft, height= =3D200,width=3D800! h3. Shutdown all and restart=20 The cluster works well when I shutdown all brokers and restart all with in= ter-broker security configurations like this: {quote}listeners=3DPLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:90= 99 #advertised.listeners=3DSASL_PLAINTEXT://10.45.4.9:9099 security.inter.broker.protocol=3DSASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=3DPLAIN{quote} replica fetch thread was started !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|align=3Dleft, height= =3D200,width=3D800! and ISR was normal !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|align=3Dleft, height= =3D200,width=3D800! was: I want to upgrade my unsecure kafka cluster to a secure one whitch support = SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way= I found to upgrade is to shutdown all brokers first and then restart all b= rokers with inter-broker security configured h3. Before upgrade Here is the secure configuration of broker 1=EF=BC=9A {quote}listeners=3DPLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:90= 99 sasl.enabled.mechanisms=3DPLAIN authorizer.class.name =3D kafka.security.auth.SimpleAclAuthorizer super.users=3DUser:admin{quote} I want to setup a cluster support both unsecure and secure client-broker co= nnect, so i add a new endpoint to listeners with port =3D 9099 h3. Start rolling upgrade First, I restart broker-1 which is not the controller. below is part of se= rver.log shows start complete: !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|align=3Dleft, height= =3D200,width=3D800,hspace=3D1,vspace=3D4! seemed well, but there are no log print to show the replicamanger was start= ed,and broker1 not go back to the ISR !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|align=3Dleft, height= =3D200,width=3D800! Besides, the preferred replica leader election was also failed !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|align=3Dleft, height= =3D200,width=3D800! h3. After rolling upgrade for all brokers After upgrade all brokers, it seems each broker can not connect to other b= rokers !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg|align=3Dleft, height= =3D200,width=3D800! I restart broker 2 at last which is the controller, then broker 3 came to b= e controller, and it also failed to perform preferred replica leader electi= on !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|align=3Dleft, height= =3D200,width=3D800! h3. Shutdown all and restart=20 The cluster works well when I shutdown all brokers and restart all with in= ter-broker security configurations like this: {quote}listeners=3DPLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:90= 99 #advertised.listeners=3DSASL_PLAINTEXT://10.45.4.9:9099 security.inter.broker.protocol=3DSASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=3DPLAIN{quote} replica fetch thread was started !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|align=3Dleft, height= =3D200,width=3D800! and ISR was normal !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|align=3Dleft, height= =3D200,width=3D800! > unable perform a rolling upgrade from a non-secure to a secure Kafka clus= ter > -------------------------------------------------------------------------= --- > > Key: KAFKA-5616 > URL: https://issues.apache.org/jira/browse/KAFKA-5616 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 0.10.1.1 > Reporter: zhu fangbo > > I want to upgrade my unsecure kafka cluster to a secure one whitch suppor= t SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only w= ay I found to upgrade is to shutdown all brokers first and then restart all= brokers with inter-broker security configured > h3. Before upgrade > Here is the secure configuration of broker 1=EF=BC=9A > {quote}listeners=3DPLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:= 9099 > sasl.enabled.mechanisms=3DPLAIN > authorizer.class.name =3D kafka.security.auth.SimpleAclAuthorizer > super.users=3DUser:admin{quote} > I want to setup a cluster support both unsecure and secure client-broker = connect, so i add a new endpoint to listeners with port =3D 9099 > h3. Start rolling upgrade > First, I restart broker-1 which is not the controller. below is part of = server.log shows start complete: > !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=3D200,width= =3D800,hspace=3D1,vspace=3D4! > seemed well, but there are no log print to show the replicamanger was sta= rted,and broker1 not go back to the ISR > !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|align=3Dleft, heig= ht=3D200,width=3D800! > Besides, the preferred replica leader election was also failed > !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|align=3Dleft, heig= ht=3D200,width=3D800! > h3. After rolling upgrade for all brokers > After upgrade all brokers, it seems each broker can not connect to other= brokers > !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg|align=3Dleft, heig= ht=3D200,width=3D800! > I restart broker 2 at last which is the controller, then broker 3 came to= be controller, and it also failed to perform preferred replica leader elec= tion > !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|align=3Dleft, heig= ht=3D200,width=3D800! > h3. Shutdown all and restart=20 > The cluster works well when I shutdown all brokers and restart all with = inter-broker security configurations like this: > {quote}listeners=3DPLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:= 9099 > #advertised.listeners=3DSASL_PLAINTEXT://10.45.4.9:9099 > security.inter.broker.protocol=3DSASL_PLAINTEXT > sasl.mechanism.inter.broker.protocol=3DPLAIN{quote} > replica fetch thread was started > !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|align=3Dleft, heig= ht=3D200,width=3D800! > and ISR was normal > !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|align=3Dleft, heig= ht=3D200,width=3D800! -- This message was sent by Atlassian JIRA (v6.4.14#64029)