From user-return-11711-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org  Wed Sep 26 07:25:38 2018
Return-Path: <user-return-11711-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id CBDFD180629
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 26 Sep 2018 07:25:37 +0200 (CEST)
Received: (qmail 48262 invoked by uid 500); 26 Sep 2018 05:25:36 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Received: (qmail 48246 invoked by uid 99); 26 Sep 2018 05:25:36 -0000
Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Sep 2018 05:25:36 +0000
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41])
	by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 376AB2353
	for <user@zookeeper.apache.org>; Wed, 26 Sep 2018 05:25:35 +0000 (UTC)
Received: by mail-wm1-f41.google.com with SMTP id z16-v6so778291wmi.3
        for <user@zookeeper.apache.org>; Tue, 25 Sep 2018 22:25:35 -0700 (PDT)
X-Gm-Message-State: ABuFfoiXUUTU+ZO/B6B7zYPhiW84MspRw6myyyh/d9pjkpoZzlJqI7u0
	X1g2SFo0q2fu2ihL/UL5kq8NL2RyDCKFlDb/wBI=
X-Google-Smtp-Source: ACcGV61+ABWwpjV9854xF54EJFNI3nDUxoYCASq57Vfa6lgVNZAg46VYW6uGyCmTCVxXME/knr1BOEm6Dm/SwqLhZjI=
X-Received: by 2002:a1c:578a:: with SMTP id l132-v6mr2855701wmb.16.1537939534039;
 Tue, 25 Sep 2018 22:25:34 -0700 (PDT)
MIME-Version: 1.0
References: <CALm_VjhmP13buf5k05FJKQygQ_rzGdmEb8cwR4N=2C7yLbAbJQ@mail.gmail.com>
 <CAHB_t6oQtw9PJ2hPp7PHJptcspV3OiwQbfw_5RZkkQJZtHjj3g@mail.gmail.com>
 <CALm_VjinOO8tnTD0NHwSFOTP0dHVUAJ=j_9_PZVcChMNNsjz7A@mail.gmail.com>
 <CALm_Vjjbrz9C5ke7Zjw59qQnDj_XVOUyj8yFNNYeuQ_b0WBjtA@mail.gmail.com> <CALm_VjjpYGCnbpq0oNS17+Z+EN9iNKpFtt9pVun-Ge_YCUWs0A@mail.gmail.com>
In-Reply-To: <CALm_VjjpYGCnbpq0oNS17+Z+EN9iNKpFtt9pVun-Ge_YCUWs0A@mail.gmail.com>
From: Rakesh Radhakrishnan <rakeshr@apache.org>
Date: Wed, 26 Sep 2018 10:55:21 +0530
X-Gmail-Original-Message-ID: <CAHB_t6qefGXMQuSu7D-swfFm3tkWx37VKuoqKq9Ta1Lqafh18Q@mail.gmail.com>
Message-ID: <CAHB_t6qefGXMQuSu7D-swfFm3tkWx37VKuoqKq9Ta1Lqafh18Q@mail.gmail.com>
Subject: Re: Observer properties for SASL authentication in 3.4.13 version
To: rammohan ganapavarapu <rammohanganap@gmail.com>
Cc: user@zookeeper.apache.org
Content-Type: multipart/alternative; boundary="0000000000009cd0650576bf737b"

--0000000000009cd0650576bf737b
Content-Type: text/plain; charset="UTF-8"

I'm in IST time zone and causes the delay:-)

Have you verified zk cluster by not configuring "sasl" in all these servers
and started, just to rule out the possibility of any errors with quorum
authentication logic?

Could you give more details:

1) Are you seeing that all Observers(4,5,6) are not able to connect to any
of the quorum 1,2,3 servers ? It would be good if you could share zk logs.
2) Hope you have checked that "myid" file is correct in each server - that
each server has a distinct server id.
3) Do you have firewall/security and no issues overthere ?. Make sure
2888/3888 are all open.
4) Hope /etc/hosts entries on all the nodes are fine.
5) Have you configured sasl configs in Observer nodes?

Rakesh

On Wed, Sep 26, 2018 at 9:19 AM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> Any help?
>
> On Tue, Sep 25, 2018 at 2:20 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
>> And observer never joining the cluster its keep saying  "Cannot open
>> channel to"  in the logs.
>>
>> On Tue, Sep 25, 2018 at 8:25 AM rammohan ganapavarapu <
>> rammohanganap@gmail.com> wrote:
>>
>>> Rakesh,
>>>
>>> Thank you, i have 3 floower and 3 observers in two different DC's
>>> followers came up fine with SASL but for some reasons observers are not
>>> coming up with the following error but i dont see any network issues, i was
>>> able to telnet to 2181 and 3888 ports.
>>>
>>>
>>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>>> size: 1
>>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>>> size: 1
>>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>>> size: 1
>>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@555] -
>>> Opening channel to server 1
>>> 2018-09-24 17:55:34,151 [myid:6] - WARN
>>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@584] - Cannot
>>> open channel to 1 at election address zk-server1/10.16.1.102:3888
>>> java.net.SocketTimeoutException: connect timed out
>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>> at
>>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>>> at
>>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>>> at
>>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>> at java.net.Socket.connect(Socket.java:589)
>>> at
>>> org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:558)
>>> at
>>> org.apache.zookeeper.server.quorum.QuorumCnxManager.connectAll(QuorumCnxManager.java:610)
>>> at
>>> org.apache.zookeeper.server.quorum.FastLeaderElection.lookForLeader(FastLeaderElection.java:838)
>>> at org.apache.zookeeper.server.quorum.QuorumPeer.run(QuorumPeer.java:957)
>>>
>>>
>>> server.1=zk-server1:2888:3888
>>> server.2=zk-server2:2888:3888
>>> server.3=zk-server3:2888:3888
>>> server.4=zk-server4:2888:3888:observer
>>> server.5=zk-server5:2888:3888:observer
>>> server.6=zk-server6:2888:3888:observer
>>> peerType=observer
>>>
>>> What could be the reason?
>>>
>>> Ram
>>>
>>> On Tue, Sep 25, 2018 at 12:12 AM Rakesh Radhakrishnan <
>>> rakeshr@apache.org> wrote:
>>>
>>>> Thanks Ram for the interest on this feature.
>>>>
>>>> Yes, user can enable SASL for Observer nodes as well. In general,
>>>> QuorumLearner will send authentication packet to peer QuorumServer.
>>>> Observer is a learner which follows the same quorum authentication protocol
>>>> and auth logic will work fine.
>>>>
>>>> FYI, hope you are referring below links for configurations,
>>>>
>>>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
>>>>
>>>> https://blog.cloudera.com/blog/2017/01/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
>>>>
>>>> Please let us know if you are facing any issues.
>>>>
>>>> Thanks,
>>>> Rakesh
>>>>
>>>> On Mon, Sep 24, 2018 at 8:31 AM rammohan ganapavarapu <
>>>> rammohanganap@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Do we need to configure any thing on observer nodes for SASL
>>>>> authentication?
>>>>>
>>>>> tcpKeepAlive=true ( this is not for sasl but just asking )
>>>>>
>>>>> quorum.auth.enableSasl=true
>>>>> quorum.auth.learnerRequireSasl=true
>>>>> quorum.auth.serverRequireSasl=true
>>>>>
>>>>> What will happen if i set these properties on observers nodes as well ?
>>>>>
>>>>> Thanks,
>>>>> Ram
>>>>>
>>>>

--0000000000009cd0650576bf737b--