[jira] [Commented] (ZOOKEEPER-3824) ZooKeeper dynamic reconfig doesn't work with GSSAPI/SASL enabled Quorum authn/z

Fri, 15 May 2020 06:13:25 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17108266#comment-17108266
 ] 

Rajkiran Sura commented on ZOOKEEPER-3824:
------------------------------------------

Tagging [~symat] [~shralex] [~hanm] [~eolivelli] if they have any thoughts wrt 
this issue.

 

Thanks,

Rajkiran

> ZooKeeper dynamic reconfig doesn't work with GSSAPI/SASL enabled Quorum 
> authn/z
> -------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3824
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3824
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: kerberos, leaderElection, quorum, server
>    Affects Versions: 3.5.6
>         Environment: O.S. :- RHEL7
>            Reporter: Rajkiran Sura
>            Priority: Major
>
> With 'DynamicReconfig' feature in v3.5.6, ideally the servers can be added 
> and removed without restarting ZooKeeper service on any of the nodes.
> But, with Keberos (GSSAPI via SASL) enabled quorum 
> authentication/authorization, this is not possible. Because, when you try to 
> add a new server, it won't be able to connect to any of the members in the 
> ensemble and the data won't be synced. This is because all the members reject 
> it based on authorization. For this to make it work, we need to do 
> 'reconfig', then restart leader, the new member and rest of the members.
> Is this the expected behavior with Quorum-auth + DynamicReconfig? Or am I 
> missing something here.
> This is our basic quorum-auth config:
> {quote}quorum.auth.serverRequireSasl=true
>  quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
>  quorum.auth.enableSasl=true
>  quorum.auth.learner.saslLoginContext=QuorumLearner
>  quorum.auth.learnerRequireSasl=true
>  quorum.cnxn.threads.size=20
>  quorum.auth.server.saslLoginContext=QuorumServer
> {quote}
> FTR: I raised this question in [ZooKeeper-user 
> forum|http://zookeeper-user.578899.n2.nabble.com/ZooKeeper-dynamic-reconfig-issue-when-Quorum-authn-authz-is-enabled-td7584927.html]
>  and both Mate and Enrico suspect this to be a bug.
> Also this is easily reproducible in a Kerbers (GSSAPI via SASL) enabled 
> quorum based ensemble.
>  
> Regards,
> Rajkiran
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to