zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rammohan ganapavarapu <rammohanga...@gmail.com>
Subject Re: Observer properties for SASL authentication in 3.4.13 version
Date Wed, 26 Sep 2018 03:48:43 GMT
Any help?

On Tue, Sep 25, 2018 at 2:20 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> And observer never joining the cluster its keep saying  "Cannot open
> channel to"  in the logs.
>
> On Tue, Sep 25, 2018 at 8:25 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
>> Rakesh,
>>
>> Thank you, i have 3 floower and 3 observers in two different DC's
>> followers came up fine with SASL but for some reasons observers are not
>> coming up with the following error but i dont see any network issues, i was
>> able to telnet to 2181 and 3888 ports.
>>
>>
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>> size: 1
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>> size: 1
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>> size: 1
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@555] - Opening
>> channel to server 1
>> 2018-09-24 17:55:34,151 [myid:6] - WARN
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@584] - Cannot
>> open channel to 1 at election address zk-server1/10.16.1.102:3888
>> java.net.SocketTimeoutException: connect timed out
>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>> at
>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>> at
>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>> at
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> at java.net.Socket.connect(Socket.java:589)
>> at
>> org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:558)
>> at
>> org.apache.zookeeper.server.quorum.QuorumCnxManager.connectAll(QuorumCnxManager.java:610)
>> at
>> org.apache.zookeeper.server.quorum.FastLeaderElection.lookForLeader(FastLeaderElection.java:838)
>> at org.apache.zookeeper.server.quorum.QuorumPeer.run(QuorumPeer.java:957)
>>
>>
>> server.1=zk-server1:2888:3888
>> server.2=zk-server2:2888:3888
>> server.3=zk-server3:2888:3888
>> server.4=zk-server4:2888:3888:observer
>> server.5=zk-server5:2888:3888:observer
>> server.6=zk-server6:2888:3888:observer
>> peerType=observer
>>
>> What could be the reason?
>>
>> Ram
>>
>> On Tue, Sep 25, 2018 at 12:12 AM Rakesh Radhakrishnan <rakeshr@apache.org>
>> wrote:
>>
>>> Thanks Ram for the interest on this feature.
>>>
>>> Yes, user can enable SASL for Observer nodes as well. In general,
>>> QuorumLearner will send authentication packet to peer QuorumServer.
>>> Observer is a learner which follows the same quorum authentication protocol
>>> and auth logic will work fine.
>>>
>>> FYI, hope you are referring below links for configurations,
>>>
>>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
>>>
>>> https://blog.cloudera.com/blog/2017/01/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
>>>
>>> Please let us know if you are facing any issues.
>>>
>>> Thanks,
>>> Rakesh
>>>
>>> On Mon, Sep 24, 2018 at 8:31 AM rammohan ganapavarapu <
>>> rammohanganap@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Do we need to configure any thing on observer nodes for SASL
>>>> authentication?
>>>>
>>>> tcpKeepAlive=true ( this is not for sasl but just asking )
>>>>
>>>> quorum.auth.enableSasl=true
>>>> quorum.auth.learnerRequireSasl=true
>>>> quorum.auth.serverRequireSasl=true
>>>>
>>>> What will happen if i set these properties on observers nodes as well ?
>>>>
>>>> Thanks,
>>>> Ram
>>>>
>>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message