Return-Path: <user-return-11158-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 13712200D44
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 20 Nov 2017 20:13:44 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 121C6160BF9; Mon, 20 Nov 2017 19:13:44 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 5AA84160BE1
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 20 Nov 2017 20:13:43 +0100 (CET)
Received: (qmail 59522 invoked by uid 500); 20 Nov 2017 19:13:42 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Received: (qmail 59509 invoked by uid 99); 20 Nov 2017 19:13:41 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Nov 2017 19:13:41 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 000971A0C64
	for <user@zookeeper.apache.org>; Mon, 20 Nov 2017 19:13:40 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.401
X-Spam-Level: 
X-Spam-Status: No, score=-0.401 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8,
	RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=mesosphere.io
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id 50p7h-ObcV2M for <user@zookeeper.apache.org>;
	Mon, 20 Nov 2017 19:13:39 +0000 (UTC)
Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id E2C015FB06
	for <user@zookeeper.apache.org>; Mon, 20 Nov 2017 19:13:38 +0000 (UTC)
Received: by mail-io0-f198.google.com with SMTP id b80so15623468iob.23
        for <user@zookeeper.apache.org>; Mon, 20 Nov 2017 11:13:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mesosphere.io; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=8k5wn2MGOHmogm/fLgBSrmkinX4WLIJ9l1BbLIMRkiY=;
        b=jMyf+wIRhxNoOgUIRp2WqBE+Wrc4DVYPn2fghSZXcmiZ8x8aenH8/8jPxyJnLonNpi
         LgcwK8tMy/sFarvfflvPgGqZZ8Dfny+Xl2z1SKvSbcKslHVfAOSGeNuJ7+IZusjzRpTe
         CL9VjP/Qio1amTiDatmIn2mlYyIbUDy7R8kIo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=8k5wn2MGOHmogm/fLgBSrmkinX4WLIJ9l1BbLIMRkiY=;
        b=IFSdFUGzgR3wOR7tqmyWeYOBpczn62RvcMGdhscwwrcjAqC1P9Z9nNyL8uVAVi6IXg
         fX4rdQ1RQHJcheitbEUHBqyRuYbYBTnCZWSPM7PjOd7NI3axUKUKfpIWrbD89gf/HKLh
         JU5uHU+7zFfoZz6qLSFyLNvhPrevou7GVOD4EkKrW0vRx3eDCBHhA+BDbAl6Z9ReeYsy
         PSDFTYaI35WYX/dmed8lfXX9BO5/2X3zjKu7NpiUtXHslj3iyO8kSr67qadCdIjWr7NH
         9k5JO1qmY+YH8M59t028MPXgCyTwWqZBuIIs1aq8NTa2k7N0MqHDDbAiPxJGgmNLz0a0
         NAUA==
X-Gm-Message-State: AJaThX4ahAOAkLROIN3TJxLVIGEUmV3O45ZTeaHskDEtP8JoeG7NIkzT
	kO4o8cNVHMADuJiWpByhUvlhdoPt1sVvdRzn/Y7aD/Y=
X-Google-Smtp-Source: AGs4zMaLeXDgMNYGtKJNkBj/qQpH9QsuhhiKbWSm2XaFxksa47Rt0S9ViAHcYSp607+XBjpbY1qBHjHILOK1A8hr07U=
X-Received: by 10.107.9.37 with SMTP id j37mr16217983ioi.111.1511205218189;
 Mon, 20 Nov 2017 11:13:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.6.36 with HTTP; Mon, 20 Nov 2017 11:13:37 -0800 (PST)
In-Reply-To: <1510960307.3586786.1176427824.786AF0AC@webmail.messagingengine.com>
References: <CABinuxd3bNjYW2p=6t4ztmGzk7U5yiDu7otZv05FKcyK1c6aPg@mail.gmail.com>
 <1510960212.3586213.1176415192.1DA76F7D@webmail.messagingengine.com> <1510960307.3586786.1176427824.786AF0AC@webmail.messagingengine.com>
From: Ben Wood <bwood@mesosphere.io>
Date: Mon, 20 Nov 2017 11:13:37 -0800
Message-ID: <CABinuxeeyVk-7vQh6hkaoYzRUM=sAEMK0kvXaq-5BUZ4J9_HQg@mail.gmail.com>
Subject: Re: Zookeeper client reverse lookup issue
To: user@zookeeper.apache.org
Content-Type: multipart/alternative; boundary="001a113dfda23694e3055e6ee2fe"
archived-at: Mon, 20 Nov 2017 19:13:44 -0000

--001a113dfda23694e3055e6ee2fe
Content-Type: text/plain; charset="UTF-8"

Hey Abraham,

We've been using 3.4.11.

That's great news the reverse lookup has already been taken out in 3.5! We
found another ticket https://issues.apache.org/jira/browse/ZOOKEEPER-2858
that suggested there were some workarounds but hadn't found that one (and
hadn't had a chance to test 3.5).

This raises an interesting question for us, admitted ZK neophytes, is ZK
3.5 "safe" to use in production?

On Fri, Nov 17, 2017 at 3:11 PM, Abraham Fine <afine@apache.org> wrote:

> This change occurred due to
> https://issues.apache.org/jira/browse/ZOOKEEPER-2171
>
> On Fri, Nov 17, 2017, at 15:10, Abraham Fine wrote:
> > Hi Ben-
> >
> > What version of ZooKeeper are you using? In my testing it looks like 3.4
> > does a reverse lookup when creating the server principal
> > (https://github.com/apache/zookeeper/blob/branch-3.4/src/
> java/main/org/apache/zookeeper/ClientCnxn.java#L1011)
> > but 3.5/master do not
> > (https://github.com/apache/zookeeper/blob/branch-3.5/src/
> java/main/org/apache/zookeeper/ClientCnxn.java#L1104).
> >
> > Let me know if that helps.
> >
> > Thanks,
> > Abe
> >
> > On Fri, Nov 17, 2017, at 12:01, Ben Wood wrote:
> > > Hey Folks,
> > >
> > > My team and I are working on a containerized Zookeeper service on top
> of
> > > DC/OS. We're running into an issue with Kerberos in the following
> > > scenario.
> > >
> > > Simplified, we have a zk server with the DNS address zk-server.dcos
> (e.g.
> > > the dns address of the ZK task) and actual hostname zk-server.aws
> > > (Shortened here, but really a standard resolvable AWS private dns
> > > address)
> > > and a kafka broker, kafka.dcos.
> > >
> > > We can easily setup our Zookeeper and Kafka services to work together,
> > > until we try to enable Kerberos. ZK itself works just fine with
> Kerberos,
> > > but the Kafka broker is not able to connect to the ZK server:
> > >
> > > 0. kafka.dcos is started with a zk server list of zk-server.dcos.
> > > 1. kafka.dcos starts up, initializing its ZK client.
> > > 2. kafka.dcos then attempts to retrieve a ticket from the KDC in order
> to
> > > talk to zk-server.aws, however the only zk principal known to the kdc
> is
> > > zk-server.dcos.
> > >
> > > From reading the source (
> > > https://github.com/apache/zookeeper/blob/master/src/
> java/main/org/apache/zookeeper/client/StaticHostProvider.java#L112)
> > > it appears that the zk client is winding up with the actual hostname of
> > > the
> > > ZK server.
> > >
> > > Being new to the codebase, is this because of a client reverse lookup?
> Or
> > > because the zk server is telling the client about its hostname? It
> > > appears
> > > to be the former.
> > >
> > > Thanks!
> > > Ben
>



-- 
Ben Wood
Software Engineer - Data Agility
Mesosphere

--001a113dfda23694e3055e6ee2fe--