Hi Indika, When further debugged i could find that in the coordination component, jaas.conf and java.env files are not read when SASL is enabled, therefore Zookeeper ServerCnxnFactory skips the creation of ZooKeeperSaslServer instance as jaas.conf entries not found. This is currently fixed in r201478.
We need to add this into 2.2.0 documentation as well. I have created [1] for that. @Tania, Please note. Thanks! Ishara [1] https://wso2.org/jira/browse/DOCUMENTATION-777 On Wed, Apr 30, 2014 at 11:59 AM, Indika Sampath <indi...@wso2.com> wrote: > Hi Ishara, > > Herewith I have attached jaas.conf and java.env files. You need to add > these two files to <MB-HOME>/repository/conf/etc/ where MB instance start > as zookeeper profile. After that change the path of jaas.conf in the > java.env. Also check the <MB-HOME>/repository/conf/security/jaas.conf file > exist. If it is not exist copy the jaas.conf. The issue seems to be MB > server start as zookeeper won't get the SASL configuration properly. Anyway > you can further debug and see with these configuration settings. > > Cheers! > > > > > On Tue, Apr 29, 2014 at 11:46 PM, Ishara Premadasa <ish...@wso2.com>wrote: > >> Hi, >> >> From WSO2 MB 2.2.0 onwards we will be supporting zookeeper profiles with >> MB where a message broker instance can be started as a zookeeper server as >> well by using carbon profiles. For this we use embedded zookeeper server >> that getting shipped with Coordination component. However as stated in [1] >> when enabled SASL security for zookeeper server, the coordination server ( >> which is zk server here) doesn't seem to initiate a ZooKeeperSaslServer >> object, but still it starts a non-SASL Zookeeper server only. >> >> I enabled the debug logs for zookeeper server and once the client tries >> to connect to server with providing client login data the following error >> logs can be seen at zk server side and client side. >> >> *server side ( MB with zookeeper profile enabled)* >> [2014-04-29 22:06:31,316] DEBUG >> {org.apache.zookeeper.server.ZooKeeperServer} - Responding to client SASL >> token. >> [2014-04-29 22:06:31,316] DEBUG >> {org.apache.zookeeper.server.ZooKeeperServer} - Size of client SASL token: >> 0 >> [2014-04-29 22:06:31,317] ERROR >> {org.apache.zookeeper.server.ZooKeeperServer} - cnxn.saslServer is null: >> cnxn object did not initialize its saslServer properly. >> >> *client side ( MB server which connects to zookeeper)* >> [2014-04-29 22:06:31,313] DEBUG >> {org.apache.zookeeper.client.ZooKeeperSaslClient} - >> ClientCnxn:sendSaslPacket:length=0 >> [2014-04-29 22:06:31,319] ERROR >> {org.apache.zookeeper.client.ZooKeeperSaslClient} - SASL authentication >> failed using login context 'Client'. >> >> To get this verified, i tested the same scenario by pointing to an >> external Apache zookeeper server where client was able to successfully >> authenticate through same credentials as below logs. >> >> [2014-04-29 22:12:10,873] DEBUG >> {org.apache.zookeeper.client.ZooKeeperSaslClient} - >> ClientCnxn:sendSaslPacket:length=0 >> [2014-04-29 22:12:10,873] DEBUG >> {org.apache.zookeeper.client.ZooKeeperSaslClient} - >> saslClient.evaluateChallenge(len=101) >> [2014-04-29 22:12:10,874] DEBUG >> {org.apache.zookeeper.client.ZooKeeperSaslClient} - >> ClientCnxn:sendSaslPacket:length=276 >> [2014-04-29 22:12:10,876] DEBUG >> {org.apache.zookeeper.client.ZooKeeperSaslClient} - >> saslClient.evaluateChallenge(len=40) >> [2014-04-29 22:12:10,877] DEBUG {org.apache.zookeeper.ClientCnxn} - >> Reading reply sessionid:0x145ae5b1d2e0002, packet:: clientPath:null >> serverPath:null finished:false header:: 3,3 replyHeader:: 3,5,-101 >> request:: '/queue_workers_parent,F response:: >> >> Therefore it seems coordination server doesn't start zookeeper instance >> by verifying whether security enabled or not. We need to get this fixed for >> MB 2.2.0 and i am currently working on it. If there is any configuration >> available for coordination server to handle this without changing the >> source please mention it here. >> >> Thanks! >> Ishara >> >> [1] https://wso2.org/jira/browse/MB-601 >> >> -- >> Ishara Premasada >> Software Engineer, >> WSO2 Inc. http://wso2.com/ >> >> >> *Blog : http://isharapremadasa.blogspot.com/ >> <http://isharapremadasa.blogspot.com/> Twitter : >> https://twitter.com/ishadil <https://twitter.com/ishadil>Mobile : +94 >> 714445832 <%2B94%20714445832>* >> >> >> > > > -- > Indika Sampath > Software Engineer > WSO2 Inc. > http://wso2.com > > Phone: +94 716 424 744 > Blog: http://indikasampath.blogspot.com/ > > -- Ishara Premasada Software Engineer, WSO2 Inc. http://wso2.com/ *Blog : http://isharapremadasa.blogspot.com/ <http://isharapremadasa.blogspot.com/>Twitter : https://twitter.com/ishadil <https://twitter.com/ishadil>Mobile : +94 714445832*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
