From user-return-11723-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org  Fri Sep 28 18:55:52 2018
Return-Path: <user-return-11723-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id B1960180627
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 28 Sep 2018 18:55:51 +0200 (CEST)
Received: (qmail 36745 invoked by uid 500); 28 Sep 2018 16:55:50 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Received: (qmail 36717 invoked by uid 99); 28 Sep 2018 16:55:49 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Sep 2018 16:55:49 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 76AE01A11CC
	for <user@zookeeper.apache.org>; Fri, 28 Sep 2018 16:55:49 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.889
X-Spam-Level: *
X-Spam-Status: No, score=1.889 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
	SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, WEIRD_PORT=0.001]
	autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id 37Y12NtyVw_5 for <user@zookeeper.apache.org>;
	Fri, 28 Sep 2018 16:55:47 +0000 (UTC)
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com [209.85.166.45])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id D1DB95F381
	for <user@zookeeper.apache.org>; Fri, 28 Sep 2018 16:55:46 +0000 (UTC)
Received: by mail-io1-f45.google.com with SMTP id q4-v6so4663745iob.8
        for <user@zookeeper.apache.org>; Fri, 28 Sep 2018 09:55:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=FnaI/5ywrQ5xwESfnOJhjbFVUMSgd565JOiZqcDR5lg=;
        b=lBI5FpiTK1urqaXPSV3ZcxIrGiDI6Ec8uYnyLbddkXny3qC+Kkr25Alf/eoXcy/YRa
         z27ofnmKL+iaGz5UiG2j8Beegqe2L25WkG8LS/ChHHpH86OKs6evIr2uDB8ZhhR/CbxF
         OBL48Jqm1OzVBUS+paujwH1CebL2ciul6M3bJlGN+FtVhK71lTdS3Wb4UHigXX2ubFzN
         BsINXrPCINZGIfCwasYeG9cqYMNYA2+0T0m0I91TRgRiY7uNxXAWFl7ehxTQcZAa3qSl
         IzmkbUlCPhH4DbPsa3etbEfVIyn7HsOTfom6un8qm5z1w2E3d4N6GQw0O1FTtOOSCVSg
         MFHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=FnaI/5ywrQ5xwESfnOJhjbFVUMSgd565JOiZqcDR5lg=;
        b=ZYohiUIreLCq1m1j0YbnOh1/lbgDcpNXp1W/rRhlPYccaIV7K8An/IeIIbvTWbZrGO
         JLdCVTje4NtoGKPpGOzImlXg+jjRjw2u6Cg8IneZhibzL2eH9vmyYlLsShAQdg9Q/XJu
         f8CPr2x6QkPxSu8wlvJrID42PcoVNbntGRVR4coO3TgC/I87kcgDI5SiBkRhLccBDoog
         4ckBFtqsac+PS7gcy2MOjd/c3yY6zSm0JAbGNwatbclkpcIXn1MJPwv/mUGJukf713y2
         4czwSq39WoRcM++S7m5p4aNd0vCrcutn8VEH4fHuqDqyVRRfDSNYxL8k91Nak7wEaD1J
         FgPA==
X-Gm-Message-State: ABuFfogrCS85MaxkLEivpv5HKqWDKbapLZETDKNOHrTXCcWkf3lAdl21
	mjtxf+/HsMN3CilpxCAZpI5HjuVkxYWtG/cewj0=
X-Google-Smtp-Source: ACcGV62ihQowGPuAq7a5UwJgNFan3c42esMkngEOj/HJlEAa8OPLgB7lXlkQpp8sK0+l6ue9STM6KHU1S8eIL/tZRU0=
X-Received: by 2002:a5e:c70c:: with SMTP id f12-v6mr13071876iop.108.1538153739673;
 Fri, 28 Sep 2018 09:55:39 -0700 (PDT)
MIME-Version: 1.0
References: <CALm_VjhmP13buf5k05FJKQygQ_rzGdmEb8cwR4N=2C7yLbAbJQ@mail.gmail.com>
 <CAHB_t6oQtw9PJ2hPp7PHJptcspV3OiwQbfw_5RZkkQJZtHjj3g@mail.gmail.com>
 <CALm_VjinOO8tnTD0NHwSFOTP0dHVUAJ=j_9_PZVcChMNNsjz7A@mail.gmail.com> <CALm_VjjuRsUbPYDZ=6sO+s8fAFkxc-78Ke4C4yEidkuZJiBFqA@mail.gmail.com>
In-Reply-To: <CALm_VjjuRsUbPYDZ=6sO+s8fAFkxc-78Ke4C4yEidkuZJiBFqA@mail.gmail.com>
From: rammohan ganapavarapu <rammohanganap@gmail.com>
Date: Fri, 28 Sep 2018 09:55:03 -0700
Message-ID: <CALm_VjhYxr6Av7qsPAunMu=bffM5DCyG=dct051085=Mdu3rgQ@mail.gmail.com>
Subject: Re: Observer properties for SASL authentication in 3.4.13 version
To: rakeshr@apache.org
Cc: user@zookeeper.apache.org
Content-Type: multipart/alternative; boundary="000000000000436d5c0576f15313"

--000000000000436d5c0576f15313
Content-Type: text/plain; charset="UTF-8"

Any thoughts on what could be the reason for observers not able to connect
to followers/leader?

Ram

On Thu, Sep 27, 2018 at 1:00 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> Incase if you have not received my previous logs files.
>
> On Tue, Sep 25, 2018 at 8:25 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
>> Rakesh,
>>
>> Thank you, i have 3 floower and 3 observers in two different DC's
>> followers came up fine with SASL but for some reasons observers are not
>> coming up with the following error but i dont see any network issues, i was
>> able to telnet to 2181 and 3888 ports.
>>
>>
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>> size: 1
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>> size: 1
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
>> size: 1
>> 2018-09-24 17:55:34,145 [myid:6] - DEBUG
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@555] - Opening
>> channel to server 1
>> 2018-09-24 17:55:34,151 [myid:6] - WARN
>> [QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@584] - Cannot
>> open channel to 1 at election address zk-server1/10.16.1.102:3888
>> java.net.SocketTimeoutException: connect timed out
>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>> at
>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>> at
>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>> at
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> at java.net.Socket.connect(Socket.java:589)
>> at
>> org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:558)
>> at
>> org.apache.zookeeper.server.quorum.QuorumCnxManager.connectAll(QuorumCnxManager.java:610)
>> at
>> org.apache.zookeeper.server.quorum.FastLeaderElection.lookForLeader(FastLeaderElection.java:838)
>> at org.apache.zookeeper.server.quorum.QuorumPeer.run(QuorumPeer.java:957)
>>
>>
>> server.1=zk-server1:2888:3888
>> server.2=zk-server2:2888:3888
>> server.3=zk-server3:2888:3888
>> server.4=zk-server4:2888:3888:observer
>> server.5=zk-server5:2888:3888:observer
>> server.6=zk-server6:2888:3888:observer
>> peerType=observer
>>
>> What could be the reason?
>>
>> Ram
>>
>> On Tue, Sep 25, 2018 at 12:12 AM Rakesh Radhakrishnan <rakeshr@apache.org>
>> wrote:
>>
>>> Thanks Ram for the interest on this feature.
>>>
>>> Yes, user can enable SASL for Observer nodes as well. In general,
>>> QuorumLearner will send authentication packet to peer QuorumServer.
>>> Observer is a learner which follows the same quorum authentication protocol
>>> and auth logic will work fine.
>>>
>>> FYI, hope you are referring below links for configurations,
>>>
>>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
>>>
>>> https://blog.cloudera.com/blog/2017/01/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
>>>
>>> Please let us know if you are facing any issues.
>>>
>>> Thanks,
>>> Rakesh
>>>
>>> On Mon, Sep 24, 2018 at 8:31 AM rammohan ganapavarapu <
>>> rammohanganap@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Do we need to configure any thing on observer nodes for SASL
>>>> authentication?
>>>>
>>>> tcpKeepAlive=true ( this is not for sasl but just asking )
>>>>
>>>> quorum.auth.enableSasl=true
>>>> quorum.auth.learnerRequireSasl=true
>>>> quorum.auth.serverRequireSasl=true
>>>>
>>>> What will happen if i set these properties on observers nodes as well ?
>>>>
>>>> Thanks,
>>>> Ram
>>>>
>>>

--000000000000436d5c0576f15313--