From user-return-11708-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org  Tue Sep 25 17:26:19 2018
Return-Path: <user-return-11708-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 8F82318061A
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 25 Sep 2018 17:26:18 +0200 (CEST)
Received: (qmail 11281 invoked by uid 500); 25 Sep 2018 15:26:17 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Received: (qmail 11269 invoked by uid 99); 25 Sep 2018 15:26:16 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Sep 2018 15:26:16 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 4556EC0181
	for <user@zookeeper.apache.org>; Tue, 25 Sep 2018 15:26:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.9
X-Spam-Level: *
X-Spam-Status: No, score=1.9 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001,
	WEIRD_PORT=0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id bSKUiD-n7HaP for <user@zookeeper.apache.org>;
	Tue, 25 Sep 2018 15:26:15 +0000 (UTC)
Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 700435F478
	for <user@zookeeper.apache.org>; Tue, 25 Sep 2018 15:26:14 +0000 (UTC)
Received: by mail-io1-f53.google.com with SMTP id q5-v6so20798640iop.3
        for <user@zookeeper.apache.org>; Tue, 25 Sep 2018 08:26:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=9BzF2BTTEBtRz1OnY1hrft8bPAQj6OwStLz2R2XbyJ4=;
        b=c+kKyUilY3n33uB4F/CaRqafYYaM1wRhT7TLAZQXq/rjFbsZdgO1gCN/bBct1mZJn3
         +MelBvEeQhUbF+Xx2feLYEoZUWk4bZDH4QYLhalrKaDvJwIM54nAz/syuGhr9HFZwy3t
         YU+gzKNUjhMaoaL86V64AZpbZA8m6AUf1GiWp4Djam+0GWxrmpQHIEhwKYkf7DjOH8BM
         2gC0oLHoRqifX+Q3FF0efMIF/McfPkjOlB0QAErEeuritus9kIMBnMhyr95YaBhVd1bN
         l1GUcXQHGPQtFlbVQ42aMDXKzE7PhQiHvEvBtUtZBO7SqQlHWsLJ5DaLbsZ+orMJEJCJ
         qNqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=9BzF2BTTEBtRz1OnY1hrft8bPAQj6OwStLz2R2XbyJ4=;
        b=R3Zz/1ZzsXNEUyZTr3oSd8fLHl1JF6EPE2lguUKrdC6bUBu3kGnMDV1R78CZPh3pGM
         wGn8ELfVWscAagacvV/Zeg1zwCVBgWkC2RrsMFIRC8cuerN7l/6QBUprRv90UJZ36gSz
         ZWvsrOoHkvywLFzK4gKt0PFau30GHNEW90F7NSUugotQSqUlb/UmeKvc714uLDreJmQw
         ez5BOnGjfQh5C9PjQrse1AahL4xG3ygexJkRhy+mgBSDTYzNLqVs0t2bbaQpm5RzMvJS
         Fe0D44jMchdoPID073+oJKM+lwKLgWQM1+64bPNSEctkOrqD3akci00QsqwcwJ96yt+v
         hKGw==
X-Gm-Message-State: ABuFfojHCaY8HwvD2RxB7Lil8CHWa6i1fE2rxEYyvRYps/gDNVmFKthJ
	6aEQ1rzSsS8fafmL5x4K/ZHgpoNmDPTOJvaMGV0=
X-Google-Smtp-Source: ACcGV61Jhu69bgDBxJ2eEcHCz3ybce4T7j7PJfmuvXIdFQTyJX4GGW8Am0ahyqlAwcNQmC38XwIm5Gb/IISw4Vfn/qw=
X-Received: by 2002:a5e:c803:: with SMTP id y3-v6mr1398372iol.198.1537889173075;
 Tue, 25 Sep 2018 08:26:13 -0700 (PDT)
MIME-Version: 1.0
References: <CALm_VjhmP13buf5k05FJKQygQ_rzGdmEb8cwR4N=2C7yLbAbJQ@mail.gmail.com>
 <CAHB_t6oQtw9PJ2hPp7PHJptcspV3OiwQbfw_5RZkkQJZtHjj3g@mail.gmail.com>
In-Reply-To: <CAHB_t6oQtw9PJ2hPp7PHJptcspV3OiwQbfw_5RZkkQJZtHjj3g@mail.gmail.com>
From: rammohan ganapavarapu <rammohanganap@gmail.com>
Date: Tue, 25 Sep 2018 08:25:36 -0700
Message-ID: <CALm_VjinOO8tnTD0NHwSFOTP0dHVUAJ=j_9_PZVcChMNNsjz7A@mail.gmail.com>
Subject: Re: Observer properties for SASL authentication in 3.4.13 version
To: rakeshr@apache.org
Cc: user@zookeeper.apache.org
Content-Type: multipart/alternative; boundary="000000000000dd7c4c0576b3b946"

--000000000000dd7c4c0576b3b946
Content-Type: text/plain; charset="UTF-8"

Rakesh,

Thank you, i have 3 floower and 3 observers in two different DC's followers
came up fine with SASL but for some reasons observers are not coming up
with the following error but i dont see any network issues, i was able to
telnet to 2181 and 3888 ports.


2018-09-24 17:55:34,145 [myid:6] - DEBUG
[QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
size: 1
2018-09-24 17:55:34,145 [myid:6] - DEBUG
[QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
size: 1
2018-09-24 17:55:34,145 [myid:6] - DEBUG
[QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@620] - Queue
size: 1
2018-09-24 17:55:34,145 [myid:6] - DEBUG
[QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@555] - Opening
channel to server 1
2018-09-24 17:55:34,151 [myid:6] - WARN
[QuorumPeer[myid=6]/0:0:0:0:0:0:0:0:2181:QuorumCnxManager@584] - Cannot
open channel to 1 at election address zk-server1/10.16.1.102:3888
java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at
org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:558)
at
org.apache.zookeeper.server.quorum.QuorumCnxManager.connectAll(QuorumCnxManager.java:610)
at
org.apache.zookeeper.server.quorum.FastLeaderElection.lookForLeader(FastLeaderElection.java:838)
at org.apache.zookeeper.server.quorum.QuorumPeer.run(QuorumPeer.java:957)


server.1=zk-server1:2888:3888
server.2=zk-server2:2888:3888
server.3=zk-server3:2888:3888
server.4=zk-server4:2888:3888:observer
server.5=zk-server5:2888:3888:observer
server.6=zk-server6:2888:3888:observer
peerType=observer

What could be the reason?

Ram

On Tue, Sep 25, 2018 at 12:12 AM Rakesh Radhakrishnan <rakeshr@apache.org>
wrote:

> Thanks Ram for the interest on this feature.
>
> Yes, user can enable SASL for Observer nodes as well. In general,
> QuorumLearner will send authentication packet to peer QuorumServer.
> Observer is a learner which follows the same quorum authentication protocol
> and auth logic will work fine.
>
> FYI, hope you are referring below links for configurations,
>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
>
> https://blog.cloudera.com/blog/2017/01/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
>
> Please let us know if you are facing any issues.
>
> Thanks,
> Rakesh
>
> On Mon, Sep 24, 2018 at 8:31 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
>> Hi,
>>
>> Do we need to configure any thing on observer nodes for SASL
>> authentication?
>>
>> tcpKeepAlive=true ( this is not for sasl but just asking )
>>
>> quorum.auth.enableSasl=true
>> quorum.auth.learnerRequireSasl=true
>> quorum.auth.serverRequireSasl=true
>>
>> What will happen if i set these properties on observers nodes as well ?
>>
>> Thanks,
>> Ram
>>
>

--000000000000dd7c4c0576b3b946--