[jira] [Comment Edited] (ZOOKEEPER-4885) Can Non-SASL-Clients automatically recover with the recovery of kerberos communication？

[Xin Chen (Jira)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17898169#comment-17898169
 ] 

Xin Chen edited comment on ZOOKEEPER-4885 at 11/14/24 9:10 AM:
---------------------------------------------------------------

2.        Also, {*}there is another real scenario in the production 
environment{*}:

Another zk client of Hive is responsible for establishing persistent nodes. Due 
to abnormal Kereros interaction during creation, a non SASL authenticated 
Zookeeper client was obtained, It may report an error when creating SASL Znode：
{code:java}
org.apache.zookeeper.KeeperException.NoAuthException
org.apache.zookeeper.KeeperException.InvalidACLException
org.apache.zookeeper.KeeperException.AuthFailedException{code}
Similarly, after the recovery of kerberos, using this client to continuously 
create znodes also results in continuous error messages. So the solution 
provided is to *consider actively rebuilding a client in the user code every 
time these three exceptions are encountered.*
{code:java}
// user code demo 

try {
                createZNode(zookeeperClient, c);
            } catch (Exception e) {
                e.printStackTrace();
                c++;
                if (e instanceof 
org.apache.zookeeper.KeeperException.AuthFailedException || e instanceof 
org.apache.zookeeper.KeeperException.NoAuthException || e instanceof 
org.apache.zookeeper.KeeperException.InvalidACLException) {
                    System.out.println("Warn: zkclient need construct, state: " 
+ zooKeeper.getState() + " zkException: " + e.getClass());                      
                                
                    zooKeeperClient.close();
                    Thread.sleep(5000);
// Proactively rebuild client objects       
                zooKeeper = new ZooKeeper("localhost:2181", 120000, new 
ZkClientKerberos()); 
                } else {
                    throw e; // Other exceptions are thrown directly 
}{code}
 

 

 


was (Author: JIRAUSER298666):
2.        Also, {*}there is another real scenario in the production 
environment{*}:

Another zk client of Hive is responsible for establishing persistent nodes. Due 
to abnormal Kereros interaction during creation, a non SASL authenticated 
Zookeeper client was obtained, It may report an error when creating SASL Znode：
{code:java}
org.apache.zookeeper.KeeperException.NoAuthException
org.apache.zookeeper.KeeperException.InvalidACLException
org.apache.zookeeper.KeeperException.AuthFailedException{code}
Similarly, after the recovery of kerberos, using this client to continuously 
create znodes also results in continuous error messages. So the solution 
provided is to *consider actively rebuilding a client in the user code every 
time these three exceptions are encountered.*
{code:java}
// user code demo 

try {
                createZNode(zookeeperClient, c);
            } catch (Exception e) {
                e.printStackTrace();
                c++;
                if (e instanceof 
org.apache.zookeeper.KeeperException.AuthFailedException || e instanceof 
org.apache.zookeeper.KeeperException.NoAuthException || e instanceof 
org.apache.zookeeper.KeeperException.InvalidACLException) {
                    System.out.println("Warn: zkclient need construct, state: " 
+ zooKeeper.getState() + " zkException: " + e.getClass());                      
                                
                    zooKeeperClient.close();
                    Thread.sleep(5000);
// Proactively rebuild client objects       
                zooKeeper = new ZooKeeper("localhost:2181", 120000, new 
ZkClientKerberos()); 
                } else {
                    throw e; // Other exceptions are thrown directly            
     }{code}
 

 

 

> Can Non-SASL-Clients automatically recover with the recovery of kerberos 
> communication？
> ---------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-4885
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4885
>             Project: ZooKeeper
>          Issue Type: Improvement
>    Affects Versions: 3.4.14, 3.6.4, 3.9.3
>            Reporter: Xin Chen
>            Priority: Major
>
> About  ZOOKEEPER-2139 & ZOOKEEPER-2323, it just avoids ZooKeeper clients into 
> infinite AuthFailedException. Noauth Exception still exists! 
> LoginException was thrown through each login, but at this point, a zkclient 
> without Kerberos SASL authentication was created. Non SASL Znodes can be 
> operated on in the future. However, when Kerberos recovers from network 
> disconnections and other anomalies, the previously created zkclient without 
> SASL authentication is still being used without rebuilding the login or 
> recreating a saslclient. If it is used to operate on ACL Znodes at this time, 
> an error will always be reported: 
> {code:java}
> KeeperErrorCode = NoAuth for /zookeeper
> or
> KeeperErrorCode = AuthFailed for /zookeeper
> or
> KeeperErrorCode = InvalidACL for /zookeeper{code}
> Isn't this a question that should be considered?  And I also met this issue 
> in ZK-3.6.4，It seems that this issue has not been considered in the updated 
> version. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)