zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Kanter <rkan...@cloudera.com>
Subject Re: SASL connection no longer uses hostname in ZooKeeper 3.4.6
Date Tue, 21 Oct 2014 23:26:44 GMT
Thanks Rakesh for pointing out those JIRAs and why this changed.
I'll update Oozie's unit test to use the ip address.

- Robert

On Mon, Oct 20, 2014 at 10:49 PM, Rakesh R <rakeshr@huawei.com> wrote:

> Hi,
>
> >>>>>> With ZooKeeper 3.4.5, "zookeeper/localhost" principal works
while
> "zookeeper/127.0.0.1" principal fails.
> >>>>>> With ZooKeeper 3.4.6, "zookeeper/127.0.0.1" principal works
while
> "zookeeper/localhost" principal fails.
>
> >>>>>> Any ideas what the problem is?
>
> I could see in 3.4.6, there is a fix ZOOKEEPER-1666 done to avoid reverse
> DNS lookup.
>
> There is an interesting JIRA to make the clustername configurable
> ZOOKEEPER-1467.
> If we can try pushing this jira in, will be able to configure the desired
> one.
>
>
> >>>>> On a related note, is there a reason why ZooKeeper requires setting
> System properties to configure it for SASL/Kerberos?  That greatly
> complicates using it, especially in tests.  Are there any plan on adding a
> way to pass a Configuration or Properties object or file?
>
> Presently client doesn't takes any configuration/properties and all are
> system properties. Similar discussion happened in ZOOKEEPER-1467 issue as
> well. There is no conclusion yet, probably we could wait for the responses
> from others.
>
> Best Regards,
> Rakesh
>
> -----Original Message-----
> From: Robert Kanter [mailto:rkanter@cloudera.com]
> Sent: 21 October 2014 05:37
> To: user@zookeeper.apache.org
> Subject: SASL connection no longer uses hostname in ZooKeeper 3.4.6
>
> Hi,
>
> In Oozie, we're using Curator to connect to ZooKeeper and both had been
> working fine.  We recently upgraded Curator, which brought us from
> ZooKeeper 3.4.5 to 3.4.6; this broke our unit tests that used ZooKeeper
> with Kerberos/SASL.
>
> We use the MiniKDC from Hadoop to have a KDC for the unit test, and setup
> a "zookeeper/localhost" principal.  With ZK 3.4.6, this caused an
> "AuthFailed" error when trying to do anything with the ZooKeeper client.  I
> did some digging and found this set of log messages:
>
> 23334 [pool-1-thread-1] INFO org.apache.zookeeper.ZooKeeper - Initiating
> > client connection, connectString=127.0.0.1:50921 sessionTimeout=60000
> > watcher=org.apache.curator.ConnectionState@655bf451
> > 23335 [pool-1-thread-1-SendThread(127.0.0.1:50921)] INFO
> > org.apache.zookeeper.client.ZooKeeperSaslClient - Client will use
> > GSSAPI as SASL mechanism.
> > 23337 [pool-1-thread-1-SendThread(127.0.0.1:50921)] INFO
> > org.apache.zookeeper.ClientCnxn - Opening socket connection to server
> > 127.0.0.1/127.0.0.1:50921. Will attempt to SASL-authenticate using
> > Login Context section 'Client'
> > 23337 [pool-1-thread-1-SendThread(127.0.0.1:50921)] INFO
> > org.apache.zookeeper.ClientCnxn - Socket connection established to
> > 127.0.0.1/127.0.0.1:50921, initiating session
> > 23337 [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:50921] INFO
> > org.apache.zookeeper.server.NIOServerCnxnFactory - Accepted socket
> > connection from /127.0.0.1:50928
> > 23339 [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:50921] INFO
> > org.apache.zookeeper.server.ZooKeeperServer - Client attempting to
> > establish new session at /127.0.0.1:50928
> > 23339 [SyncThread:0] INFO org.apache.zookeeper.server.ZooKeeperServer
> > - Established session 0x1492ff641fe0001 with negotiated timeout 60000
> > for client /127.0.0.1:50928
> > 23339 [pool-1-thread-1-SendThread(127.0.0.1:50921)] INFO
> > org.apache.zookeeper.ClientCnxn - Session establishment complete on
> > server 127.0.0.1/127.0.0.1:50921, sessionid = 0x1492ff641fe0001,
> > negotiated timeout = 60000
> > 23339 [pool-1-thread-1-EventThread] INFO
> > org.apache.curator.framework.state.ConnectionStateManager - State change:
> > CONNECTED
> > 23345 [NioProcessor-1] WARN
> > org.apache.directory.server.protocol.shared.kerberos.StoreUtils - No
> > server entry found for kerberos principal name
> > zookeeper/127.0.0.1@EXAMPLE.COM
> > 23345 [NioProcessor-1] WARN org.apache.directory.server.KERBEROS_LOG -
> > No server entry found for kerberos principal name zookeeper/
> > 127.0.0.1@EXAMPLE.COM
> > 23346 [NioProcessor-1] WARN
> > org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> > - Server not found in Kerberos database (7)
> > 23346 [NioProcessor-1] WARN org.apache.directory.server.KERBEROS_LOG -
> > Server not found in Kerberos database (7)
>
>
> As you can see, it connects to "127.0.0.1/127.0.0.1".  When I force maven
> to use ZK 3.4.5 and run the test, I get similar messages here:
>
> 25475 [pool-1-thread-1] INFO org.apache.zookeeper.ZooKeeper - Initiating
> > client connection, connectString=127.0.0.1:50018 sessionTimeout=60000
> > watcher=org.apache.curator.ConnectionState@a9c6fd8
> > 25538 [pool-1-thread-1-SendThread(localhost:50018)] INFO
> > org.apache.zookeeper.client.ZooKeeperSaslClient - Client will use
> > GSSAPI as SASL mechanism.
> > 25556 [pool-1-thread-1-SendThread(localhost:50018)] INFO
> > org.apache.zookeeper.ClientCnxn - Opening socket connection to server
> > localhost/127.0.0.1:50018. Will attempt to SASL-authenticate using
> > Login Context section 'Client'
> > 25557 [pool-1-thread-1-SendThread(localhost:50018)] INFO
> > org.apache.zookeeper.ClientCnxn - Socket connection established to
> > localhost/127.0.0.1:50018, initiating session
> > 25557 [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:50018] INFO
> > org.apache.zookeeper.server.NIOServerCnxnFactory - Accepted socket
> > connection from /127.0.0.1:50023
> > 25575 [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:50018] INFO
> > org.apache.zookeeper.server.ZooKeeperServer - Client attempting to
> > establish new session at /127.0.0.1:50023
> > 25579 [SyncThread:0] INFO
> > org.apache.zookeeper.server.persistence.FileTxnLog - Creating new log
> file:
> > log.1
> > 25647 [SyncThread:0] INFO org.apache.zookeeper.server.ZooKeeperServer
> > - Established session 0x1492fb3a68b0000 with negotiated timeout 60000
> > for client /127.0.0.1:50023
>
>
> You'll notice that it's connecting to "localhost/127.0.0.1".  I've
> verified that this is indeed the issue by trying it with a "zookeeper/
> 127.0.0.1"
> principal and seeing that it works with ZK 3.4.6.
> I also tried using a "zookeeper/127.0.0.1" principal with ZK 3.4.5, but
> this fails for the same reason but in reverse (i.e. ZooKeeper is trying to
> use "zookeeper/localhost", even though we specified "zookeeper/127.0.0.1
> ").
>
> TLDR;
> With ZooKeeper 3.4.5, "zookeeper/localhost" principal works while
> "zookeeper/127.0.0.1" principal fails.
> With ZooKeeper 3.4.6, "zookeeper/127.0.0.1" principal works while
> "zookeeper/localhost" principal fails.
>
> Any ideas what the problem is?
>
> On a related note, is there a reason why ZooKeeper requires setting System
> properties to configure it for SASL/Kerberos?  That greatly complicates
> using it, especially in tests.  Are there any plan on adding a way to pass
> a Configuration or Properties object or file?
>
>
> thanks
> - Robert
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message