[
https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058445#comment-15058445
]
Steve Loughran commented on ZOOKEEPER-2346:
-------------------------------------------
If the ZK service cannot authenticate the SASL connection the client (here
slider) will only see a connection refused message.
server logs
{code}
2015-12-15 14:35:08,265 - WARN
[NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@969] - Client failed
to SASL authenticate: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level:
Specified version of key is not available (44))]
2015-12-15 14:35:08,266 - WARN
[NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@975] - Closing
client connection due to SASL authentication failure.
+ a stack trace in nio, which sees the connection closed and is surprised by
the unexpected state
{code}
The client sees a connection closure and reacts to it by trying to re-open the
connection, until eventually it gives up
{code}
2015-12-15 15:07:46,066 [main-SendThread(devix.cotham.uk:2181)] WARN
zookeeper.ClientCnxn (run(1102)) - Session 0x0 for server null, unexpected
error, closing socket connection and attempting reconnect
java.net.ConnectException: Connection refused
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
at
sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:739)
at
org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:361)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1081)
2015-12-15 15:07:46,169 [main] ERROR curator.ConnectionState
(checkTimeouts(200)) - Connection timed out for connection string
(devix.cotham.uk:2181) and timeout (15000) / elapsed (31695)
org.apache.curator.CuratorConnectionLossException: KeeperErrorCode =
ConnectionLoss
{code}
This means that what appears to be a connectivity problem, is actually an
authentication problem —you need to look at the ZK server logs to identify the
cause.
> SASL Auth failure manifested to client as connection refusal
> ------------------------------------------------------------
>
> Key: ZOOKEEPER-2346
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.4.6
> Reporter: Steve Loughran
>
> If a client can't authenticate via sasl then (a) the stack trace is lost on
> the server logs, and (b) it is exposed to the client as a connection refusal.
> This results in curator retrying many times before giving up —and with the
> cause being misinterpreted as a server-down problem, rather than a
> client-not-trusted problem
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
