[ https://issues.apache.org/jira/browse/KUDU-3297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Serbin updated KUDU-3297: -------------------------------- Code Review: http://gerrit.cloudera.org:8080/17619 > KRPC connection negotiation fails with RedHat/CentOS > cyrus-sasl-gssapi-2.1.27-5 for secure clusters > --------------------------------------------------------------------------------------------------- > > Key: KUDU-3297 > URL: https://issues.apache.org/jira/browse/KUDU-3297 > Project: Kudu > Issue Type: Bug > Components: client, master, rpc, tserver > Affects Versions: 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.7.1, > 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.11.1, 1.13.0, 1.14.0, 1.15.0 > Reporter: Alexey Serbin > Assignee: Alexey Serbin > Priority: Critical > > With the recent RedHat/CentOS 8 update on the {{cyrus-sasl-gssapi}} package, > Kudu servers and C++ clients can no longer negotiate connections when GSSAPI > is involved (that's so for secure clusters where Kerberos-based > authentication is a must). In other words, when the {{cyrus-sasl-gssapi}} > package is upgraded up to {{2.1.27-5}} version, secure Kudu clusters are no > longer functional. > The issue manifests itself by failed RPC connection negotiation with the > following error logged along with the full connection negotiation trace: > {noformat} > Runtime error: SASL(-15): mechanism too weak for this user: Unable to find a > callback: 32775 > {noformat} > The breaking change is in the following pull request for cyrus-sasl which has > been pulled into the {{cyrus-sasl-gssapi-2.1.27-5}} package: > https://github.com/cyrusimap/cyrus-sasl/pull/603 This patch is named as > {{cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch}} > in the SRPM for the {{cyrus-sasl}} package. > The workaround is to roll back the {{cyrus-sasl-gssapi}} package back to > {{2.1.27-1}} (or {{2.1.27-3}}). -- This message was sent by Atlassian Jira (v8.3.4#803005)