From user-return-12456-apmail-zookeeper-user-archive=zookeeper.apache.org@zookeeper.apache.org Tue Dec 17 15:26:35 2019 Return-Path: X-Original-To: apmail-zookeeper-user-archive@www.apache.org Delivered-To: apmail-zookeeper-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id 35EDB10CE0 for ; Tue, 17 Dec 2019 15:26:35 +0000 (UTC) Received: (qmail 49261 invoked by uid 500); 17 Dec 2019 15:26:31 -0000 Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org Received: (qmail 49215 invoked by uid 500); 17 Dec 2019 15:26:31 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 49203 invoked by uid 99); 17 Dec 2019 15:26:31 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Dec 2019 15:26:31 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 8A8E9C21C2 for ; Tue, 17 Dec 2019 15:26:30 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.003 X-Spam-Level: X-Spam-Status: No, score=0.003 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, NUMERIC_HTTP_ADDR=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id Elt0wVv5M0tT for ; Tue, 17 Dec 2019 15:26:29 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::535; helo=mail-ed1-x535.google.com; envelope-from=szalay.beko.mate@gmail.com; receiver= Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 788967DDAC for ; Tue, 17 Dec 2019 15:26:28 +0000 (UTC) Received: by mail-ed1-x535.google.com with SMTP id b8so5714664edx.7 for ; Tue, 17 Dec 2019 07:26:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=EEHuTVEyxq+ZSFkOFnsUqfaUDiv+DfIlx0iltNavBko=; b=lLHduQBZYA8w8xMgLKCikHBgg8otig+Z69u+5oFiRoryahWAv38NoB4fqvEmh9Tqa2 ZO3GP/E4EwcZBzuoiUEuoY6J2SczeZEGjoJmrovTOqA99H7EUB+DbuIWVAe8QeYC2jbK cUEfV1yB4nrqlxOSHwZmG7q6gPb4LLpRnt7GOPhplQwFBGPBd8eptbeGOvE1O6XehfDy 4TPId1rHwgsdrN5WriyLssC1kedaNsyT92y241KMTC9AX666Lzb8/wlxRD2LbeJXCxtf x0f5EWGfQ6WhcaElIAxHPGlmL86kp3gm0323gwdOqE672MMVAiMUIvGU6lR6aOu4t9Rm BvkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=EEHuTVEyxq+ZSFkOFnsUqfaUDiv+DfIlx0iltNavBko=; b=kqSl88XMhdPqjxdQ/g+Yy9RNPcn2S4TA6lhC9snFvaYp7MOiNjKXsttyW+I6MFeE+x IdqQPf+IoX/ddJGr9LVk4uDkAJiOYOr8GZj/pdrNQ9lZd4I7yBoWwDHPqr2knaSXXUlk 5Io/0x+5/cN7fLD81SvIRIlzFRArBfSakMzN4kS2+q1Ddhg//1rB+6eAKkNAXTRw3tLK yj3M00fO6+yH3kEX5UCeDH/8nvkfATbfhBOWMZhbEKErlXCkVPf6TibQF8jTGb/x6eHD l7tI/5XA6OBpRc6CiqZUv6qUeaRQnAZokJ/wHER3D3tTzGfAnM99J8hBUM08n2Ev0Ybl yDOQ== X-Gm-Message-State: APjAAAVw6tAis0uu5cbdBniICbUFfLAJ7BfcI7A9HJlPqH3DlEr7NsV9 XLQGYB9aXQKPejkp78lFUwUt78G7t+mM7jd9tTqYbmhRNg== X-Google-Smtp-Source: APXvYqxsGwJQW0p97NoA/EhEEhjnzA3EpUOHvWwMwLSs3Vil9qxtCw8PC7aytzBg4zqrith5K1/+BwxkI9Vh513GF7o= X-Received: by 2002:a50:8d13:: with SMTP id s19mr5971316eds.40.1576596381629; Tue, 17 Dec 2019 07:26:21 -0800 (PST) MIME-Version: 1.0 References: <7A3AAC00-4CD8-4197-B64C-6FDCB08DCD4E@gmail.com> <51ACAD67-4CB5-4CF3-B6E4-0A0B25926AE1@apache.org> In-Reply-To: <51ACAD67-4CB5-4CF3-B6E4-0A0B25926AE1@apache.org> From: =?UTF-8?B?U3phbGF5LUJla8WRIE3DoXTDqQ==?= Date: Tue, 17 Dec 2019 16:26:10 +0100 Message-ID: Subject: Re: Zookeeper 3.5 SSL and Kerberos authentication To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary="0000000000004800840599e7f33a" --0000000000004800840599e7f33a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I added a comment on Jira. This is something we will also need to fix in my company soon. @enrico you wrote: > in my company we set up some ZK with TLS and SASL, using TLS for encryption and SASL for auth. We were using early 3.5.3 or something like that. According to this, the scenario should work. Maybe we just misconfigured something, or this was something got broken in a later version? Can you share the config you use? Maybe you are setting `zookeeper.ssl.clientAuth` and `zookeeper.ssl.quorum.clientAuth` to `none` or `want` ? Regards, Mate On Tue, Dec 17, 2019 at 10:48 AM Andor Molnar wrote: > Hi Jorn, > > Sorry for coming back late to this. I=E2=80=99ve just validated the scena= rio on my > test cluster. Looks like the issue is valid: Kerberos auth and SSL are > mutually exclusive currently. When Kerberos is set up and trying to conne= ct > to secure port I got an infinite loop on client side: > > 2019-12-17 01:43:30,984 [myid:barbaresco-1.vpc.cloudera.com:2182] - WARN > [Thread-39:Login$1@197] - TGT renewal thread has been interrupted and > will exit. > 2019-12-17 01:43:30,987 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):Login@302] - Client > successfully logged in. > 2019-12-17 01:43:30,987 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [Thread-40:Login$1@135] - TGT refresh thread started. > 2019-12-17 01:43:30,987 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):SecurityUtils$1@124] > - Client will use GSSAPI as SASL mechanism. > 2019-12-17 01:43:30,988 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [main-SendThread(barbaresco-1.vpc.cloudera.com:2182 > ):ClientCnxn$SendThread@1112] - Opening socket connection to server > barbaresco-1.vpc.cloudera.com/10.65.25.98:2182. Will attempt to > SASL-authenticate using Login Context section 'Client' > 2019-12-17 01:43:30,988 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [main-SendThread(barbaresco-1.vpc.cloudera.com:2182 > ):ClientCnxn$SendThread@959] - Socket connection established, initiating > session, client: /10.65.25.98:45362, server: > barbaresco-1.vpc.cloudera.com/10.65.25.98:2182 > 2019-12-17 > > 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [Thread-40:Login@320] - TGT valid starting at: Tue Dec 17 01:43:30 > PST 2019 > 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [Thread-40:Login@321] - TGT expires: Thu Jan 16 01:43:30 > PST 2020 > 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [Thread-40:Login$1@193] - TGT refresh sleeping until: Fri Jan 10 20:23:33 > PST 2020 > 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO > [main-SendThread(barbaresco-1.vpc.cloudera.com:2182 > ):ClientCnxn$SendThread@1240] - Unable to read additional data from > server sessionid 0x0, likely server has closed socket, closing socket > connection and attempting reconnect > > And the following error on server side: > > 2019-12-17 01:43:33,002 INFO > org.apache.zookeeper.server.NettyServerCnxnFactory: SSL handler added for > channel: [id: 0xcf37c14b, L:/10.65.25.98:2182 - R:/10.65.25.98:45380] > 2019-12-17 01:43:33,003 ERROR > org.apache.zookeeper.server.NettyServerCnxnFactory: Unsuccessful handshak= e > with session 0x0 > 2019-12-17 01:43:33,003 WARN > org.apache.zookeeper.server.NettyServerCnxnFactory: Exception caught > io.netty.handler.codec.DecoderException: > io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: > 0000002d00000000000000000000000000007530000000000000000000000010000000000= 0000000000000000000000000 > at > io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecod= er.java:475) > at > io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDeco= der.java:283) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abstract= ChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abstract= ChannelHandlerContext.java:360) > at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractCh= annelHandlerContext.java:352) > at > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultCh= annelPipeline.java:1422) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abstract= ChannelHandlerContext.java:374) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abstract= ChannelHandlerContext.java:360) > at > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPip= eline.java:931) > at > io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epoll= InReady(AbstractEpollStreamChannel.java:792) > at > io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:48= 3) > at > io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:383) > at > io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEven= tExecutor.java:1044) > at > io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) > at > io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunna= ble.java:30) > at java.lang.Thread.run(Thread.java:748) > > I will update the Jira too. > > Andor > > > > > > > On 2019. Nov 8., at 20:31, J=C3=B6rn Franke wrot= e: > > > > Thanks. Can you please share the configuration file? > > > > I tried with 3.5.5 - without SSL Kerberos works, but once I configured > client ssl it said authentication fail (I have to check if I can dig up t= he > log files) and as far as I remember this was related to x509 > authentication. The certificate and truststore themselves are fine (I thi= nk > I needed to convert the truststore to jks). > > Sorry it was some time ago, I should have separated the log files. > > For me it did not matter that the ports are separated, but it worked on > the non-ssl port fine. > > > >> Am 06.11.2019 um 23:08 schrieb Enrico Olivelli : > >> > >> =EF=BB=BFJorn, > >> IIRC in my company we set up some ZK with TLS and SASL, using TLS for > >> encryption and SASL for auth. > >> We were using early 3.5.3 or something like that. > >> > >> Do you have a specific error? > >> > >> I can also add that in 3.6.0 we will have port-unification, this way y= ou > >> can configure only one client port and accept plain text and TLS > connection > >> from clients (this helps the ttransition to TLS) > >> > >> Enrico > >> > >> Il mer 6 nov 2019, 22:28 J=C3=B6rn Franke ha sc= ritto: > >> > >>> Dear all, > >>> > >>> it seems that ZooKeeper 3.5 with SSL enabled does not support Kerbero= s > >>> authentication, but only X509 authentication. Kerberos is used in man= y > >>> Enterprise environments and is supported by Apache Solr. Is this a > bug? Or > >>> am I missing something? > >>> > >>> > >>> I created a Jira for this: > >>> https://issues.apache.org/jira/browse/ZOOKEEPER-3482 > >>> > >>> > >>> thank you. > >>> > >>> best regards > >>> > > --0000000000004800840599e7f33a--