lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-5676) SolrCloud updates rejected if talking to secure ZooKeeper
Date Wed, 29 Jan 2014 23:28:09 GMT

     [ https://issues.apache.org/jira/browse/SOLR-5676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Gregory Chanan updated SOLR-5676:
---------------------------------

    Attachment: SOLR-5676.patch

Here's a patch that does the above, warning if the client receives AuthFailed.

> SolrCloud updates rejected if talking to secure ZooKeeper
> ---------------------------------------------------------
>
>                 Key: SOLR-5676
>                 URL: https://issues.apache.org/jira/browse/SOLR-5676
>             Project: Solr
>          Issue Type: Bug
>          Components: SolrCloud
>    Affects Versions: 5.0, 4.7, 4.6.1
>            Reporter: Gregory Chanan
>             Fix For: 5.0
>
>         Attachments: SOLR-5676.patch
>
>
> When using secure zookeeper and a valid jaas configuration, SolrCloud will reject updates
with a 503 error.
> The problem is that in this case ZooKeeper sends states to the watchers like "SaslAuthenticated",
but the ConnectionManager treats any state it doesn't know about as a disconnect.  Then, whenever
a request comes in, SolrCloud will think it can't talk to ZooKeeper and reject the request.
> These are the valid states that watchers can see with the current ZooKeeper version (3.4.5):
> Disconnected
> SyncConnected
> AuthFailed
> ConnectedReadOnly
> SaslAuthenticated
> Expired
> ConnectionManager currently does not handle:
> SaslAuthenticated
> ConnectedReadOnly
> AuthFailed
> From my tests, it seems like the correct thing to do is just ignore these states:
> 1) SaslAuthenticated - nothing has gone wrong here, so no need to disconnected
> 2) ConnectedReadOnly - the client would only see this state if they specifically specified
a read only client, so this is expected
> 3) AuthFailed - this one is a little tricky.  If you try to authentication but fail (say
you have an invalid JAAS conf), you may get AuthFailed, but depending on the ZK settings,
you may still be able to communicate with ZooKeeper (i.e. see this in the log: Will continue
connection to Zookeeper server \
> without SASL authentication, if Zookeeper server allows it.)
> So, it seems correct to ignore these states, possibly warning on AuthFailed, because
that isn't expected in proper operation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message