Re: Question about security configuration (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 6)

2019-05-16 Thread Enrico Olivelli 
Il ven 17 mag 2019, 01:18 Gracia, Raul  ha scritto:

> Hi Andor,
>
> You are totally correct, the server works adding this auth provider.
> Thanks a lot!
>
> I did a cursory comparison between ZooKeeper versions 3.5.4-beta and 3.5.5
> and I couldn't find a change that justifies this behavior change.
> In any case, the Pravega build has passed with zookeeper-3.5.5, which are
> great news.
>
> I will execute some more tests and leave my vote to the release candidate,
> if you feel that this could be useful.
>

Raul,
It's great to see that you solved your problem.
It is also interesting that you are testing boring-ssl as we still not
included it in the release tarball.

Yes please cast your vote

Enrico



> Thanks a lot,
> Raúl.
>
> -Original Message-
> From: Andor Molnar 
> Sent: Thursday, May 16, 2019 6:43 PM
> To: DevZooKeeper
> Subject: Re: Question about security configuration (was: Re: [VOTE] Apache
> ZooKeeper release 3.5.5 candidate 6)
>
>
> [EXTERNAL EMAIL]
>
> Hi Raul,
>
> X509AuthenticationProvider is not registered in the embedded ZK. In server
> logs it says:
> "[epollEventLoopGroup-4-1] ERROR
> org.apache.zookeeper.server.NettyServerCnxnFactory - Auth provider not
> found: x509"
>
> It's done by QuorumPeerConfig.java:436 (configureSSLAuth()) when you run
> ZooKeeper in standalone mode, but your code doesn't use this configuration
> class at all.
> If you add this:
>
> System.setProperty("zookeeper.authProvider.x509",
> "org.apache.zookeeper.server.auth.X509AuthenticationProvider");
>
> to your initialize() method, client SSL works:
>
> [nioEventLoopGroup-4-2] INFO
> org.apache.zookeeper.server.NettyServerCnxnFactory - SSL handler added for
> channel: [id: 0x698604a3, L:/127.0.0.1:2281 - R:/127.0.0.1:56750]
> [nioEventLoopGroup-4-2] INFO
> org.apache.zookeeper.server.auth.X509AuthenticationProvider - Authenticated
> Id 'CN=server.pravegastack.io' for Scheme 'x509'
>
> TBH I haven't diffed the code with 3.5.4-beta, so not sure why it worked
> previously and I don't have experience with embedded ZK, but I believe
> QuorumPeerConfig class has to be involved somehow.
>
> Regards,
> Andor
>
>
>
> On Thu, May 16, 2019 at 5:10 PM Gracia, Raul  wrote:
>
> > Thanks Andor for your quick reply. Let me answer to your questions:
> >
> > 1) Yes, the problem is related to client/server communication using
> > SSL, not related to Quorum SSL (we use a single Zookeeper process in our
> tests).
> > I would like your feedback first to conclude if this is a problem in
> > our config/code or a regression/change in the behavior of Zookeeper
> 3.5.5.
> >
> > 2) Yes, with the external Zookeeper server running separately (e.g.,
> > zkServer.sh start) all the tests are passing (SSL/non-SSL). With the
> > Zookeeper server process we instantiate in our tests, the non-SSL
> > tests are also passing, but not the SSL ones.
> >
> > 3) Correct. Just to give more detail here, we are instantiating the
> > Zookeeper server process using the ZooKeeperServer class jointly with
> > NettyServerCnxnFactory.
> >
> > 4) I have done 2 types of tests: with Zookeeper started as a separate
> > service ("zkServer.sh") and using the Zookeeper server process we
> > instantiate in Pravega standalone tests (namely, "zk-pravega-tests"):
> > - zkServer.sh: Works well with regular Zookeeper client (zkCli.sh) and
> > the Pravega standalone tests pass using it with/without SSL.
> > - zk-pravega-tests: Without SSL, the zkCli.sh can connect to that
> > process and the non-SSL Pravega tests pass. With SSL configured,
> > neither zkCli.sh nor Pravega tests with SSL are capable to connect to
> > the server (KeeperErrorCode = ConnectionLoss).
> >
> > 5) No, I haven't tested this scenario yet. I have tested a standalone
> > Zookeeper server (zkServer.sh) and a client (zkCli.sh) with SSL
> > enabled in the same machine, and it works well. Apart from that, I
> > have also performed distributed tests with a Zookeeper server
> > (3.5.4-beta) and Pravega (using Curator 4.0.1 + zookeeper-3.5.5) in
> Kubernetes and it worked fine.
> >
> > 6) Yes, in fact I have done a little more than that and I have created
> > a repository to investigate this issue in isolation:
> > https://github.com/RaulGracia/zookeeper-test
> > Apart from providing logs (see logs folder), in this repo I extracted
> > the piece of code from the Pravega repository that is used to start
> > the Zookeeper standalone process, making it easier to configure the
> > SSL properties via executable. I think that this will make it easier
> > for anyone to reproduce the problem I'm experiencing. Moreover, I have
> > provided instructions in the README file on how to reproduce the issue.
> >
> > Thanks a lot,
> > Raúl.
> >
> >
> > -Original Message-
> > From: Andor Molnar 
> > Sent: Thursday, May 16, 2019 11:18 AM
> > To: DevZooKeeper
> > Subject: Re: Question about security configuration (was: Re: [VOTE]
> > Apache ZooKeeper release 3.5.5 candidate 6)
> >
> >
> > [EXTERNAL EMAIL]
> >
> > Hi

[GitHub] [zookeeper] anmolnar commented on a change in pull request #899: ZOOKEEPER-3354: Improve efficiency of DeleteAllCommand

2019-05-16 Thread GitBox 
anmolnar commented on a change in pull request #899: ZOOKEEPER-3354: Improve 
efficiency of DeleteAllCommand
URL: https://github.com/apache/zookeeper/pull/899#discussion_r284974888
 
 

 ##
 File path: zookeeper-server/src/main/java/org/apache/zookeeper/ZKUtil.java
 ##
 @@ -45,20 +48,67 @@
  *
  * @throws IllegalArgumentException if an invalid path is specified
  */
-public static void deleteRecursive(ZooKeeper zk, final String pathRoot)
+public static boolean deleteRecursive(ZooKeeper zk, final String pathRoot)
 throws InterruptedException, KeeperException
 {
 PathUtils.validatePath(pathRoot);
 
 List tree = listSubTreeBFS(zk, pathRoot);
 LOG.debug("Deleting " + tree);
 LOG.debug("Deleting " + tree.size() + " subnodes ");
-for (int i = tree.size() - 1; i >= 0 ; --i) {
-//Delete the leaves first and eventually get rid of the root
-zk.delete(tree.get(i), -1); //Delete all versions of the node with 
-1.
+
+int asyncReqRateLimit = 10;
+// Try deleting the tree nodes in batches of size 1000.
+// If some batch failed, try again with batches of size 1 to delete as
+// many nodes as possible.
 
 Review comment:
   Oh, this is not the cli, but `ZKUtil`, so essentially it's a public api. 
Another reason not to be proactive.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] anmolnar commented on a change in pull request #899: ZOOKEEPER-3354: Improve efficiency of DeleteAllCommand

2019-05-16 Thread GitBox 
anmolnar commented on a change in pull request #899: ZOOKEEPER-3354: Improve 
efficiency of DeleteAllCommand
URL: https://github.com/apache/zookeeper/pull/899#discussion_r284974695
 
 

 ##
 File path: zookeeper-server/src/main/java/org/apache/zookeeper/ZKUtil.java
 ##
 @@ -45,20 +48,67 @@
  *
  * @throws IllegalArgumentException if an invalid path is specified
  */
-public static void deleteRecursive(ZooKeeper zk, final String pathRoot)
+public static boolean deleteRecursive(ZooKeeper zk, final String pathRoot)
 throws InterruptedException, KeeperException
 {
 PathUtils.validatePath(pathRoot);
 
 List tree = listSubTreeBFS(zk, pathRoot);
 LOG.debug("Deleting " + tree);
 LOG.debug("Deleting " + tree.size() + " subnodes ");
-for (int i = tree.size() - 1; i >= 0 ; --i) {
-//Delete the leaves first and eventually get rid of the root
-zk.delete(tree.get(i), -1); //Delete all versions of the node with 
-1.
+
+int asyncReqRateLimit = 10;
+// Try deleting the tree nodes in batches of size 1000.
+// If some batch failed, try again with batches of size 1 to delete as
+// many nodes as possible.
 
 Review comment:
   I agree with @szepet : I don't think we need this retry logic in the cli.
   I would just let the user know about the command failed because of this and 
that and let him decide whether he/she wants to retry with a different batch 
size.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

RE: Question about security configuration (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 6)

2019-05-16 Thread Gracia, Raul 
Hi Andor,

You are totally correct, the server works adding this auth provider. Thanks a 
lot!

I did a cursory comparison between ZooKeeper versions 3.5.4-beta and 3.5.5 and 
I couldn't find a change that justifies this behavior change. 
In any case, the Pravega build has passed with zookeeper-3.5.5, which are great 
news. 

I will execute some more tests and leave my vote to the release candidate, if 
you feel that this could be useful.

Thanks a lot,
Raúl.

-Original Message-
From: Andor Molnar  
Sent: Thursday, May 16, 2019 6:43 PM
To: DevZooKeeper
Subject: Re: Question about security configuration (was: Re: [VOTE] Apache 
ZooKeeper release 3.5.5 candidate 6)


[EXTERNAL EMAIL] 

Hi Raul,

X509AuthenticationProvider is not registered in the embedded ZK. In server logs 
it says:
"[epollEventLoopGroup-4-1] ERROR
org.apache.zookeeper.server.NettyServerCnxnFactory - Auth provider not
found: x509"

It's done by QuorumPeerConfig.java:436 (configureSSLAuth()) when you run 
ZooKeeper in standalone mode, but your code doesn't use this configuration 
class at all.
If you add this:

System.setProperty("zookeeper.authProvider.x509",
"org.apache.zookeeper.server.auth.X509AuthenticationProvider");

to your initialize() method, client SSL works:

[nioEventLoopGroup-4-2] INFO
org.apache.zookeeper.server.NettyServerCnxnFactory - SSL handler added for
channel: [id: 0x698604a3, L:/127.0.0.1:2281 - R:/127.0.0.1:56750] 
[nioEventLoopGroup-4-2] INFO 
org.apache.zookeeper.server.auth.X509AuthenticationProvider - Authenticated Id 
'CN=server.pravegastack.io' for Scheme 'x509'

TBH I haven't diffed the code with 3.5.4-beta, so not sure why it worked 
previously and I don't have experience with embedded ZK, but I believe 
QuorumPeerConfig class has to be involved somehow.

Regards,
Andor



On Thu, May 16, 2019 at 5:10 PM Gracia, Raul  wrote:

> Thanks Andor for your quick reply. Let me answer to your questions:
>
> 1) Yes, the problem is related to client/server communication using 
> SSL, not related to Quorum SSL (we use a single Zookeeper process in our 
> tests).
> I would like your feedback first to conclude if this is a problem in 
> our config/code or a regression/change in the behavior of Zookeeper 3.5.5.
>
> 2) Yes, with the external Zookeeper server running separately (e.g., 
> zkServer.sh start) all the tests are passing (SSL/non-SSL). With the 
> Zookeeper server process we instantiate in our tests, the non-SSL 
> tests are also passing, but not the SSL ones.
>
> 3) Correct. Just to give more detail here, we are instantiating the 
> Zookeeper server process using the ZooKeeperServer class jointly with 
> NettyServerCnxnFactory.
>
> 4) I have done 2 types of tests: with Zookeeper started as a separate 
> service ("zkServer.sh") and using the Zookeeper server process we 
> instantiate in Pravega standalone tests (namely, "zk-pravega-tests"):
> - zkServer.sh: Works well with regular Zookeeper client (zkCli.sh) and 
> the Pravega standalone tests pass using it with/without SSL.
> - zk-pravega-tests: Without SSL, the zkCli.sh can connect to that 
> process and the non-SSL Pravega tests pass. With SSL configured, 
> neither zkCli.sh nor Pravega tests with SSL are capable to connect to 
> the server (KeeperErrorCode = ConnectionLoss).
>
> 5) No, I haven't tested this scenario yet. I have tested a standalone 
> Zookeeper server (zkServer.sh) and a client (zkCli.sh) with SSL 
> enabled in the same machine, and it works well. Apart from that, I 
> have also performed distributed tests with a Zookeeper server 
> (3.5.4-beta) and Pravega (using Curator 4.0.1 + zookeeper-3.5.5) in 
> Kubernetes and it worked fine.
>
> 6) Yes, in fact I have done a little more than that and I have created 
> a repository to investigate this issue in isolation:
> https://github.com/RaulGracia/zookeeper-test
> Apart from providing logs (see logs folder), in this repo I extracted 
> the piece of code from the Pravega repository that is used to start 
> the Zookeeper standalone process, making it easier to configure the 
> SSL properties via executable. I think that this will make it easier 
> for anyone to reproduce the problem I'm experiencing. Moreover, I have 
> provided instructions in the README file on how to reproduce the issue.
>
> Thanks a lot,
> Raúl.
>
>
> -Original Message-
> From: Andor Molnar 
> Sent: Thursday, May 16, 2019 11:18 AM
> To: DevZooKeeper
> Subject: Re: Question about security configuration (was: Re: [VOTE] 
> Apache ZooKeeper release 3.5.5 candidate 6)
>
>
> [EXTERNAL EMAIL]
>
> Hi Raul,
>
> Thanks for the analysis. Let me ask a few questions, because I see 
> some things that need to be clarified first.
>
> 1. This issue is only about server-client SSL scenario (not Quorum 
> TLS), so it's possibly a regression in 3.5. Is that correct?
> 2. When running all Pravega tests against an external ZooKeeper 
> standalone server, all tests passed including SSL/nonSSL. Is that correct?
> 3. SSL tests are failing

[GitHub] [zookeeper] elireisman commented on issue #923: ZOOKEEPER-1426: add version command to the zookeeper server

2019-05-16 Thread GitBox 
elireisman commented on issue #923: ZOOKEEPER-1426: add version command to the 
zookeeper server
URL: https://github.com/apache/zookeeper/pull/923#issuecomment-493230356
 
 
   Yay! Been a while (!!!) but happy to chime in if you need me, thanks for 
rebasing this  


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[jira] [Commented] (ZOOKEEPER-3237) Allow IPv6 wildcard address in peer config

2019-05-16 Thread Hudson (JIRA) 


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16841667#comment-16841667
 ] 

Hudson commented on ZOOKEEPER-3237:
---

SUCCESS: Integrated in Jenkins build ZooKeeper-trunk #524 (See 
[https://builds.apache.org/job/ZooKeeper-trunk/524/])
ZOOKEEPER-3237: Allow IPv6 wildcard address in peer config (andor: rev 
7ca06c2cbb77695ec33a3d3d2f04e00563ad)
* (edit) 
zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumServerTest.java
* (edit) 
zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/QuorumPeer.java


> Allow IPv6 wildcard address in peer config
> --
>
> Key: ZOOKEEPER-3237
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3237
> Project: ZooKeeper
>  Issue Type: Improvement
>  Components: server
>Affects Versions: 3.6.0
>Reporter: Brian Nixon
>Assignee: Brian Nixon
>Priority: Trivial
>  Labels: pull-request-available
> Fix For: 3.6.0
>
>  Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> ZooKeeper allows a special exception for the IPv4 wildcard, 0.0.0.0, along 
> with the loopback addresses. Extend the same treatment to IPv6's wildcard, 
> [::]. Otherwise, reconfig will reject commands with the form [::]:.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] [zookeeper] enixon commented on issue #939: ZOOKEEPER-3385: Add admin command to display leader

2019-05-16 Thread GitBox 
enixon commented on issue #939: ZOOKEEPER-3385: Add admin command to display 
leader
URL: https://github.com/apache/zookeeper/pull/939#issuecomment-493187070
 
 
   retest this please


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] enixon commented on issue #947: ZOOKEEPER-3392: Add admin command to display last snapshot information

2019-05-16 Thread GitBox 
enixon commented on issue #947: ZOOKEEPER-3392: Add admin command to display 
last snapshot information
URL: https://github.com/apache/zookeeper/pull/947#issuecomment-493186770
 
 
   retest ant build


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] enixon commented on issue #851: ZOOKEEPER-3311: Allow a delay to the transaction log flush

2019-05-16 Thread GitBox 
enixon commented on issue #851: ZOOKEEPER-3311: Allow a delay to the 
transaction log flush
URL: https://github.com/apache/zookeeper/pull/851#issuecomment-493186586
 
 
   retest maven build


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] eolivelli commented on issue #918: ZOOKEEPER-3366: Pluggable metrics system for ZooKeeper - move remaining metrics to MetricsProvider

2019-05-16 Thread GitBox 
eolivelli commented on issue #918: ZOOKEEPER-3366: Pluggable metrics system for 
ZooKeeper - move remaining metrics to MetricsProvider
URL: https://github.com/apache/zookeeper/pull/918#issuecomment-493170070
 
 
   @lvfangmin do you have time to finish your review?
   Thanks


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] anmolnar commented on issue #923: ZOOKEEPER-1426: add version command to the zookeeper server

2019-05-16 Thread GitBox 
anmolnar commented on issue #923: ZOOKEEPER-1426: add version command to the 
zookeeper server
URL: https://github.com/apache/zookeeper/pull/923#issuecomment-493161575
 
 
   @nkalmar I don't think those error messages are related to this patch.
   That's basically the expected behaviour of this script when no config file 
is available.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Re: Question about security configuration (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 6)

2019-05-16 Thread Andor Molnar 
Hi Raul,

X509AuthenticationProvider is not registered in the embedded ZK. In server
logs it says:
"[epollEventLoopGroup-4-1] ERROR
org.apache.zookeeper.server.NettyServerCnxnFactory - Auth provider not
found: x509"

It's done by QuorumPeerConfig.java:436 (configureSSLAuth()) when you run
ZooKeeper in standalone mode, but your code doesn't use this configuration
class at all.
If you add this:

System.setProperty("zookeeper.authProvider.x509",
"org.apache.zookeeper.server.auth.X509AuthenticationProvider");

to your initialize() method, client SSL works:

[nioEventLoopGroup-4-2] INFO
org.apache.zookeeper.server.NettyServerCnxnFactory - SSL handler added for
channel: [id: 0x698604a3, L:/127.0.0.1:2281 - R:/127.0.0.1:56750]
[nioEventLoopGroup-4-2] INFO
org.apache.zookeeper.server.auth.X509AuthenticationProvider - Authenticated
Id 'CN=server.pravegastack.io' for Scheme 'x509'

TBH I haven't diffed the code with 3.5.4-beta, so not sure why it worked
previously and I don't have experience with embedded ZK, but I believe
QuorumPeerConfig class has to be involved somehow.

Regards,
Andor



On Thu, May 16, 2019 at 5:10 PM Gracia, Raul  wrote:

> Thanks Andor for your quick reply. Let me answer to your questions:
>
> 1) Yes, the problem is related to client/server communication using SSL,
> not related to Quorum SSL (we use a single Zookeeper process in our tests).
> I would like your feedback first to conclude if this is a problem in our
> config/code or a regression/change in the behavior of Zookeeper 3.5.5.
>
> 2) Yes, with the external Zookeeper server running separately (e.g.,
> zkServer.sh start) all the tests are passing (SSL/non-SSL). With the
> Zookeeper server process we instantiate in our tests, the non-SSL tests are
> also passing, but not the SSL ones.
>
> 3) Correct. Just to give more detail here, we are instantiating the
> Zookeeper server process using the ZooKeeperServer class jointly with
> NettyServerCnxnFactory.
>
> 4) I have done 2 types of tests: with Zookeeper started as a separate
> service ("zkServer.sh") and using the Zookeeper server process we
> instantiate in Pravega standalone tests (namely, "zk-pravega-tests"):
> - zkServer.sh: Works well with regular Zookeeper client (zkCli.sh) and the
> Pravega standalone tests pass using it with/without SSL.
> - zk-pravega-tests: Without SSL, the zkCli.sh can connect to that process
> and the non-SSL Pravega tests pass. With SSL configured, neither zkCli.sh
> nor Pravega tests with SSL are capable to connect to the server
> (KeeperErrorCode = ConnectionLoss).
>
> 5) No, I haven't tested this scenario yet. I have tested a standalone
> Zookeeper server (zkServer.sh) and a client (zkCli.sh) with SSL enabled in
> the same machine, and it works well. Apart from that, I have also performed
> distributed tests with a Zookeeper server (3.5.4-beta) and Pravega (using
> Curator 4.0.1 + zookeeper-3.5.5) in Kubernetes and it worked fine.
>
> 6) Yes, in fact I have done a little more than that and I have created a
> repository to investigate this issue in isolation:
> https://github.com/RaulGracia/zookeeper-test
> Apart from providing logs (see logs folder), in this repo I extracted the
> piece of code from the Pravega repository that is used to start the
> Zookeeper standalone process, making it easier to configure the SSL
> properties via executable. I think that this will make it easier for anyone
> to reproduce the problem I'm experiencing. Moreover, I have provided
> instructions in the README file on how to reproduce the issue.
>
> Thanks a lot,
> Raúl.
>
>
> -Original Message-
> From: Andor Molnar 
> Sent: Thursday, May 16, 2019 11:18 AM
> To: DevZooKeeper
> Subject: Re: Question about security configuration (was: Re: [VOTE] Apache
> ZooKeeper release 3.5.5 candidate 6)
>
>
> [EXTERNAL EMAIL]
>
> Hi Raul,
>
> Thanks for the analysis. Let me ask a few questions, because I see some
> things that need to be clarified first.
>
> 1. This issue is only about server-client SSL scenario (not Quorum TLS),
> so it's possibly a regression in 3.5. Is that correct?
> 2. When running all Pravega tests against an external ZooKeeper standalone
> server, all tests passed including SSL/nonSSL. Is that correct?
> 3. SSL tests are failing when ZooKeeper is running inside the test process?
> 4. You verified it by running ZooKeeper in standalone mode, SSL-enabled
> and according to the log snippet, your client has connected successfully,
> but later timed out. Is that right?
> 5. Have you verified client-server SSL config with real (3-node) cluster
> with zkCli.sh?
> 6. Would you please provide the server side logs as well, maybe it sheds
> some light why the client timed out?
>
> Thanks,
> Andor
>
>
>
>
> On Thu, May 16, 2019 at 10:25 AM Gracia, Raul 
> wrote:
>
> > Hi all,
> >
> > My name is Raúl Gracia and I work in the Pravega project (open-source
> > project for data stream storage): http://pravega.io/.
> >
> > I'm currently working on a Pravega branch using

[jira] [Commented] (ZOOKEEPER-3237) Allow IPv6 wildcard address in peer config

2019-05-16 Thread Hudson (JIRA) 


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16841521#comment-16841521
 ] 

Hudson commented on ZOOKEEPER-3237:
---

SUCCESS: Integrated in Jenkins build Zookeeper-trunk-single-thread #359 (See 
[https://builds.apache.org/job/Zookeeper-trunk-single-thread/359/])
ZOOKEEPER-3237: Allow IPv6 wildcard address in peer config (andor: rev 
7ca06c2cbb77695ec33a3d3d2f04e00563ad)
* (edit) 
zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/QuorumPeer.java
* (edit) 
zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumServerTest.java


> Allow IPv6 wildcard address in peer config
> --
>
> Key: ZOOKEEPER-3237
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3237
> Project: ZooKeeper
>  Issue Type: Improvement
>  Components: server
>Affects Versions: 3.6.0
>Reporter: Brian Nixon
>Assignee: Brian Nixon
>Priority: Trivial
>  Labels: pull-request-available
> Fix For: 3.6.0
>
>  Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> ZooKeeper allows a special exception for the IPv4 wildcard, 0.0.0.0, along 
> with the loopback addresses. Extend the same treatment to IPv6's wildcard, 
> [::]. Otherwise, reconfig will reject commands with the form [::]:.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

RE: Question about security configuration (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 6)

2019-05-16 Thread Gracia, Raul 
Thanks Andor for your quick reply. Let me answer to your questions:

1) Yes, the problem is related to client/server communication using SSL, not 
related to Quorum SSL (we use a single Zookeeper process in our tests). I would 
like your feedback first to conclude if this is a problem in our config/code or 
a regression/change in the behavior of Zookeeper 3.5.5. 

2) Yes, with the external Zookeeper server running separately (e.g., 
zkServer.sh start) all the tests are passing (SSL/non-SSL). With the Zookeeper 
server process we instantiate in our tests, the non-SSL tests are also passing, 
but not the SSL ones.

3) Correct. Just to give more detail here, we are instantiating the Zookeeper 
server process using the ZooKeeperServer class jointly with 
NettyServerCnxnFactory.

4) I have done 2 types of tests: with Zookeeper started as a separate service 
("zkServer.sh") and using the Zookeeper server process we instantiate in 
Pravega standalone tests (namely, "zk-pravega-tests"):
- zkServer.sh: Works well with regular Zookeeper client (zkCli.sh) and the 
Pravega standalone tests pass using it with/without SSL.
- zk-pravega-tests: Without SSL, the zkCli.sh can connect to that process and 
the non-SSL Pravega tests pass. With SSL configured, neither zkCli.sh nor 
Pravega tests with SSL are capable to connect to the server (KeeperErrorCode = 
ConnectionLoss).

5) No, I haven't tested this scenario yet. I have tested a standalone Zookeeper 
server (zkServer.sh) and a client (zkCli.sh) with SSL enabled in the same 
machine, and it works well. Apart from that, I have also performed distributed 
tests with a Zookeeper server (3.5.4-beta) and Pravega (using Curator 4.0.1 + 
zookeeper-3.5.5) in Kubernetes and it worked fine.

6) Yes, in fact I have done a little more than that and I have created a 
repository to investigate this issue in isolation: 
https://github.com/RaulGracia/zookeeper-test
Apart from providing logs (see logs folder), in this repo I extracted the piece 
of code from the Pravega repository that is used to start the Zookeeper 
standalone process, making it easier to configure the SSL properties via 
executable. I think that this will make it easier for anyone to reproduce the 
problem I'm experiencing. Moreover, I have provided instructions in the README 
file on how to reproduce the issue.

Thanks a lot,
Raúl.


-Original Message-
From: Andor Molnar  
Sent: Thursday, May 16, 2019 11:18 AM
To: DevZooKeeper
Subject: Re: Question about security configuration (was: Re: [VOTE] Apache 
ZooKeeper release 3.5.5 candidate 6)


[EXTERNAL EMAIL] 

Hi Raul,

Thanks for the analysis. Let me ask a few questions, because I see some things 
that need to be clarified first.

1. This issue is only about server-client SSL scenario (not Quorum TLS), so 
it's possibly a regression in 3.5. Is that correct?
2. When running all Pravega tests against an external ZooKeeper standalone 
server, all tests passed including SSL/nonSSL. Is that correct?
3. SSL tests are failing when ZooKeeper is running inside the test process?
4. You verified it by running ZooKeeper in standalone mode, SSL-enabled and 
according to the log snippet, your client has connected successfully, but later 
timed out. Is that right?
5. Have you verified client-server SSL config with real (3-node) cluster with 
zkCli.sh?
6. Would you please provide the server side logs as well, maybe it sheds some 
light why the client timed out?

Thanks,
Andor




On Thu, May 16, 2019 at 10:25 AM Gracia, Raul  wrote:

> Hi all,
>
> My name is Raúl Gracia and I work in the Pravega project (open-source 
> project for data stream storage): http://pravega.io/.
>
> I'm currently working on a Pravega branch using "zookeeper-3.5.5-rc6", 
> as we are interested on allowing Curator (4.0.1) to use a Zookeeper 
> version with the bugfix proposed in ZOOKEEPER-2184< 
> https://issues.apache.org/jira/browse/ZOOKEEPER-2184>. The integration 
> has been pretty smooth and 99% of tests are successful in a Pravega 
> build, and the original issue that motivated the upgrade to 
> zookeeper-3.5.5 seems also solved.
>
> However, there are failures related to a specific type of tests in 
> Pravega in which we instantiate a Zookeeper server process (for 
> testing Pravega in standalone mode). Such failures only occur when 
> running the standalone tests with SSL enabled, which includes 
> configuring the Zookeeper server process with SSL as well.
>
> To constrain the scope of the problem, I have built 
> zookeeper-3.5.5-rc6 ("mvn package") and executed the server (e.g., 
> "./bin/zkServer.sh start") with the appropriate security configuration to 
> enable SSL:
> export SERVER_JVMFLAGS="
>
> -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerC
> nxnFactory -Dzookeeper.ssl.keyStore.location=.../server.keystore.jks
> -Dzookeeper.ssl.keyStore.password=password
> -Dzookeeper.ssl.trustStore.location=.../client.truststore.jks
> -Dzookeeper.ssl.trustStore.password= password"

[jira] [Assigned] (ZOOKEEPER-3237) Allow IPv6 wildcard address in peer config

2019-05-16 Thread Andor Molnar (JIRA) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andor Molnar reassigned ZOOKEEPER-3237:
---

Assignee: Brian Nixon

> Allow IPv6 wildcard address in peer config
> --
>
> Key: ZOOKEEPER-3237
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3237
> Project: ZooKeeper
>  Issue Type: Improvement
>  Components: server
>Affects Versions: 3.6.0
>Reporter: Brian Nixon
>Assignee: Brian Nixon
>Priority: Trivial
>  Labels: pull-request-available
> Fix For: 3.6.0
>
>  Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> ZooKeeper allows a special exception for the IPv4 wildcard, 0.0.0.0, along 
> with the loopback addresses. Extend the same treatment to IPv6's wildcard, 
> [::]. Otherwise, reconfig will reject commands with the form [::]:.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] [zookeeper] anmolnar commented on issue #761: ZOOKEEPER-3237: Allow IPv6 wildcard address in peer config

2019-05-16 Thread GitBox 
anmolnar commented on issue #761: ZOOKEEPER-3237: Allow IPv6 wildcard address 
in peer config
URL: https://github.com/apache/zookeeper/pull/761#issuecomment-493090307
 
 
   Committed to master branch. Thanks @enixon !


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[jira] [Resolved] (ZOOKEEPER-3237) Allow IPv6 wildcard address in peer config

2019-05-16 Thread Andor Molnar (JIRA) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andor Molnar resolved ZOOKEEPER-3237.
-
   Resolution: Fixed
Fix Version/s: 3.6.0

Issue resolved by pull request 761
[https://github.com/apache/zookeeper/pull/761]

> Allow IPv6 wildcard address in peer config
> --
>
> Key: ZOOKEEPER-3237
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3237
> Project: ZooKeeper
>  Issue Type: Improvement
>  Components: server
>Affects Versions: 3.6.0
>Reporter: Brian Nixon
>Priority: Trivial
>  Labels: pull-request-available
> Fix For: 3.6.0
>
>  Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> ZooKeeper allows a special exception for the IPv4 wildcard, 0.0.0.0, along 
> with the loopback addresses. Extend the same treatment to IPv6's wildcard, 
> [::]. Otherwise, reconfig will reject commands with the form [::]:.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] [zookeeper] asfgit closed pull request #761: ZOOKEEPER-3237: Allow IPv6 wildcard address in peer config

2019-05-16 Thread GitBox 
asfgit closed pull request #761: ZOOKEEPER-3237: Allow IPv6 wildcard address in 
peer config
URL: https://github.com/apache/zookeeper/pull/761
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] anmolnar commented on issue #915: ZOOKEEPER-3370 Remove SVN specific revision generation

2019-05-16 Thread GitBox 
anmolnar commented on issue #915: ZOOKEEPER-3370 Remove SVN specific revision 
generation
URL: https://github.com/apache/zookeeper/pull/915#issuecomment-493085224
 
 
   retest this please


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] anmolnar closed pull request #592: ZOOKEEPER-3112: fix fd leak due to UnresolvedAddressException on conn…

2019-05-16 Thread GitBox 
anmolnar closed pull request #592: ZOOKEEPER-3112: fix fd leak due to 
UnresolvedAddressException on conn…
URL: https://github.com/apache/zookeeper/pull/592
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] anmolnar commented on issue #592: ZOOKEEPER-3112: fix fd leak due to UnresolvedAddressException on conn…

2019-05-16 Thread GitBox 
anmolnar commented on issue #592: ZOOKEEPER-3112: fix fd leak due to 
UnresolvedAddressException on conn…
URL: https://github.com/apache/zookeeper/pull/592#issuecomment-493084748
 
 
   Due to @PhantomThief 's comment, I'm closing this PR.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493061694
 
 
   @nkalmar 
   Solution #2 seems to be feasible - I've just tried simple prototype in 
different branch: 
https://github.com/JiriOndrusek/zookeeper/commits/zookeeper-osgi-module


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Re: ZooKeeper and OSGi (maven)

2019-05-16 Thread Enrico Olivelli 
Il giorno gio 16 mag 2019 alle ore 13:25 Norbert Kalmar
 ha scritto:

> Hi Jiri,
>
> Thank you for investigating this issue.
>
> Short summary what we already talked about on the PR:
> I don't think we can change the package name on 3.5 branch, even though
> this is not exposed through the client API. But for 3.6, from my point of
> view, sure.
> But that would mean go with solution #1 on 3.6 and go with #2 on 3.5
> branch.
>


I think that a new zookeeper-osgi dependency would be a problem.
We are talking about Curator here and if Curator has a dependency with
zookeeper-osgi, applications that are depending
on both Curator and directly ZookKeeper will have an "interesting" mess to
solve (I have a bunch of them).

We can rename the package names even in 3.5 branch if a client application
does not "link" to those package names directly.

I am thinking about the other problem we had (still not resolved) while
creating a standalone zookeeper-client.
We could not strip out the java client part because of
org.apache.zookeeper.server.quorum.QuorumPeerConfig.ConfigException,
which used by ZKClientConfig.

We should inspect an existing client compiled against ZK 3.4 and see if it
is fully working with zookeeper-server + zookeeper-jute
with jute packages renamed.
If it fully works we are safe and we can go with #1 even on 3.5 branch.

It would be great to break binary compatibility in 3.6 (an maybe call it
4.0.0) only once and create a standalone java client, compatible with Osgi.

We have a 3rd possibility: we could "shade" the zookeeper-jute jar inside
the "public" zookeeper jar, so that the result is exacly the same as
3.5.4-beta

If option 1 is not working I would go for 3 , that is: only one osgi
compatible bundle named exacly the 3.5.4-beta one


Enrico





>
> But for me, #2 is also acceptable for both branches.
>
> Regards,
> Norbert
>
> On Thu, May 16, 2019 at 1:18 PM Jiří Ondrušek 
> wrote:
>
> > Hi,
> >
> > I've created issue [1] with missing exported packages in osgi for
> > zookeeper 3.4.10. Then I started to prepare maven OSGi packaging [2]
> > for the higher version of ZooKeeper (in the PR for issue).
> >
> > I've tried to implement OSGi packaging with the low impact. So I've
> > tried to create OSGi bundles from Zookeeper-server and from
> > zookeeper-jute modules.
> >
> > But there is a *problem* for this solution:
> >
> >
> >- zookeeper-jute has package 'org.apache.zookeeper.data', it has to be
> >exported for zookeeper-server to use it
> >- zookeeper-server contains also package 'org.apache.zookeeper.data',
> >which has to be exported, because it is used from packages like
> >org.apache.zookeeper, which are exported
> >
> > -> *bundles can not be deployed into osgi as two libraries are exporting
> > the same packages*
> >
> >
> > Solution:
> >
> >
> >1. best solution is to change name of one of these packages (probably
> in
> >module zookeeper-jute - which us used only by zookeeper) - but
> question
> > is,
> >whether this change is feasible
> >2. only other solution is to create only one bundle (e.g.
> >zookeeper-osgi), which will contain both libraries together and will
> > expose
> >their both packages at the same time (similar approach is used in e.g.
> >hibernate-osgi, httpcore-osgi, httpclient-osgi)
> >
> > Solution *#1* is a better solution, I would like to ask for your
> > opinion about feasibility of renaming zookeeper-jute generated
> > packages to not collide with zookeeper-server.
> > (As these packages are to be used only for zookeeper, it shouldn't
> > cause any harm)
> >
> > If #1 is not acceptable, then we can go with #2. But I highly suggest
> > to consider renaming of zookeeper-jute's packages in the nearest point
> > in the future as possible and return to solution #1.
> >
> > Best regards,
> > Jiri
> >
> >
> > [1] https://issues.apache.org/jira/browse/ZOOKEEPER-3389
> > [2] https://github.com/apache/zookeeper/pull/945
> >
>

[jira] [Updated] (ZOOKEEPER-3263) Illegal reflective access in zookeer's kerberosUtil

2019-05-16 Thread ASF GitHub Bot (JIRA) 


 [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated ZOOKEEPER-3263:
--
Labels: pull-request-available  (was: )

> Illegal reflective access in zookeer's kerberosUtil
> ---
>
> Key: ZOOKEEPER-3263
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3263
> Project: ZooKeeper
>  Issue Type: Improvement
>Affects Versions: 3.4.13
>Reporter: Pradeep Bansal
>Assignee: Andor Molnar
>Priority: Major
>  Labels: pull-request-available
>
> I am using kafka 2.11-2.1.0 with Java 11. Kafka is using zookeeper-3.4.13.jar 
> and when am running kafka-acl script to maange ACLs, I am getting below 
> warning. Is there a way to resolve this?
> {{WARNING: An illegal reflective access operation has occurred WARNING: 
> Illegal reflective access by org.apache.zookeeper.server.util.KerberosUtil 
> (file://apache/kafka/kafka_2.11-2.1.0/libs/zookeeper-3.4.13.jar) to method 
> sun.security.krb5.Config.getInstance() WARNING: Please consider reporting 
> this to the maintainers of org.apache.zookeeper.server.util.KerberosUtil 
> WARNING: Use --illegal-access=warn to enable warnings of further illegal 
> reflective access operations WARNING: All illegal access operations will be 
> denied in a future release}}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[GitHub] [zookeeper] anmolnar opened a new pull request #950: ZOOKEEPER-3263. Illegal reflective access in zookeer's kerberosUtil

2019-05-16 Thread GitBox 
anmolnar opened a new pull request #950: ZOOKEEPER-3263. Illegal reflective 
access in zookeer's kerberosUtil
URL: https://github.com/apache/zookeeper/pull/950
 
 
   Fixes warning messages of JDK 9/11 by upgrading libraries and refactoring 
`KerberosUtils` based on experiences of 
[HADOOP-10848](https://issues.apache.org/jira/browse/HADOOP-10848)
   
   Reviewers please run unit tests with various JDK versions including 9 and 
11, because CI only runs on JDK 8. Thanks.
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Re: ZooKeeper and OSGi (maven)

2019-05-16 Thread Norbert Kalmar 
Hi Jiri,

Thank you for investigating this issue.

Short summary what we already talked about on the PR:
I don't think we can change the package name on 3.5 branch, even though
this is not exposed through the client API. But for 3.6, from my point of
view, sure.
But that would mean go with solution #1 on 3.6 and go with #2 on 3.5 branch.

But for me, #2 is also acceptable for both branches.

Regards,
Norbert

On Thu, May 16, 2019 at 1:18 PM Jiří Ondrušek 
wrote:

> Hi,
>
> I've created issue [1] with missing exported packages in osgi for
> zookeeper 3.4.10. Then I started to prepare maven OSGi packaging [2]
> for the higher version of ZooKeeper (in the PR for issue).
>
> I've tried to implement OSGi packaging with the low impact. So I've
> tried to create OSGi bundles from Zookeeper-server and from
> zookeeper-jute modules.
>
> But there is a *problem* for this solution:
>
>
>- zookeeper-jute has package 'org.apache.zookeeper.data', it has to be
>exported for zookeeper-server to use it
>- zookeeper-server contains also package 'org.apache.zookeeper.data',
>which has to be exported, because it is used from packages like
>org.apache.zookeeper, which are exported
>
> -> *bundles can not be deployed into osgi as two libraries are exporting
> the same packages*
>
>
> Solution:
>
>
>1. best solution is to change name of one of these packages (probably in
>module zookeeper-jute - which us used only by zookeeper) - but question
> is,
>whether this change is feasible
>2. only other solution is to create only one bundle (e.g.
>zookeeper-osgi), which will contain both libraries together and will
> expose
>their both packages at the same time (similar approach is used in e.g.
>hibernate-osgi, httpcore-osgi, httpclient-osgi)
>
> Solution *#1* is a better solution, I would like to ask for your
> opinion about feasibility of renaming zookeeper-jute generated
> packages to not collide with zookeeper-server.
> (As these packages are to be used only for zookeeper, it shouldn't
> cause any harm)
>
> If #1 is not acceptable, then we can go with #2. But I highly suggest
> to consider renaming of zookeeper-jute's packages in the nearest point
> in the future as possible and return to solution #1.
>
> Best regards,
> Jiri
>
>
> [1] https://issues.apache.org/jira/browse/ZOOKEEPER-3389
> [2] https://github.com/apache/zookeeper/pull/945
>

ZooKeeper and OSGi (maven)

2019-05-16 Thread Jiří Ondrušek 
Hi,

I've created issue [1] with missing exported packages in osgi for
zookeeper 3.4.10. Then I started to prepare maven OSGi packaging [2]
for the higher version of ZooKeeper (in the PR for issue).

I've tried to implement OSGi packaging with the low impact. So I've
tried to create OSGi bundles from Zookeeper-server and from
zookeeper-jute modules.

But there is a *problem* for this solution:


   - zookeeper-jute has package 'org.apache.zookeeper.data', it has to be
   exported for zookeeper-server to use it
   - zookeeper-server contains also package 'org.apache.zookeeper.data',
   which has to be exported, because it is used from packages like
   org.apache.zookeeper, which are exported

-> *bundles can not be deployed into osgi as two libraries are exporting
the same packages*


Solution:


   1. best solution is to change name of one of these packages (probably in
   module zookeeper-jute - which us used only by zookeeper) - but question is,
   whether this change is feasible
   2. only other solution is to create only one bundle (e.g.
   zookeeper-osgi), which will contain both libraries together and will expose
   their both packages at the same time (similar approach is used in e.g.
   hibernate-osgi, httpcore-osgi, httpclient-osgi)

Solution *#1* is a better solution, I would like to ask for your
opinion about feasibility of renaming zookeeper-jute generated
packages to not collide with zookeeper-server.
(As these packages are to be used only for zookeeper, it shouldn't
cause any harm)

If #1 is not acceptable, then we can go with #2. But I highly suggest
to consider renaming of zookeeper-jute's packages in the nearest point
in the future as possible and return to solution #1.

Best regards,
Jiri


[1] https://issues.apache.org/jira/browse/ZOOKEEPER-3389
[2] https://github.com/apache/zookeeper/pull/945

[GitHub] [zookeeper] JiriOndrusek edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does 
not export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493025000
 
 
   I've sent email to zookeeper-dev mailing list:
   
   ZooKeeper and OSGi (maven)
   
   Hi,
   
   I 've created issue [1] with missing exported packages in osgi for zookeeper 
3.4.10. Then I started to prepare maven OSGi packaging [2] for the higher 
version of ZooKeeper (in the PR for issue).
   
   I've tried to implement OSGi packaging with the low impact. So I've tried to 
create OSGi bundles from Zookeeper-server and from zookeeper-jute modules.
   
   But there is a problem for this solution:
   
   zookeeper-jute has package 'org.apache.zookeeper.data', it has to be 
exported for zookeeper-server to use it
   zookeeper-server contains also package 'org.apache.zookeeper.data', 
which has to be exported, because it is used from packages like 
org.apache.zookeeper, which are exported
   
   -> bundles can not be deployed into osgi as two libraries are exporting the 
same packages
   
   
   Solution:
   
   best solution is to change name of one of these packages (probably in 
module zookeeper-jute - which us used only by zookeeper) - but question is, 
whether this change is feasible
   only other solution is to create only one bundle (e.g. zookeeper-osgi), 
which will contain both libraries together and will expose their both packages 
at the same time (similar approach is used in e.g. hibernate-osgi, 
httpcore-osgi, httpclient-osgi)
   
   Solution #1 is a better solution, I would like to ask for your opinion about 
feasibility of renaming zookeeper-jute generated packages to not collide with 
zookeeper-server. 
   (As these packages are to be used only for zookeeper, it shouldn't cause any 
harm)
   
   If #1 is not acceptable, then we can go with #2. But I highly suggest to 
consider renaming of zookeeper-jute's packages in the nearest point in the 
future as possible and return to solution #1.
   
   Best regards,
   
   jiri
   
   
   [1] https://issues.apache.org/jira/browse/ZOOKEEPER-3389
   [2] https://github.com/apache/zookeeper/pull/945
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493025000
 
 
   I've sent email to zookeeper-dev mailing list:
   
   > ZooKeeper and OSGi (maven)
   
   Hi,
   
   I 've created issue [1] with missing exported packages in osgi for zookeeper 
3.4.10. Then I started to prepare maven OSGi packaging [2] for the higher 
version of ZooKeeper (in the PR for issue).
   
   I've tried to implement OSGi packaging with the low impact. So I've tried to 
create OSGi bundles from Zookeeper-server and from zookeeper-jute modules.
   
   But there is a problem for this solution:
   
   zookeeper-jute has package 'org.apache.zookeeper.data', it has to be 
exported for zookeeper-server to use it
   zookeeper-server contains also package 'org.apache.zookeeper.data', 
which has to be exported, because it is used from packages like 
org.apache.zookeeper, which are exported
   
   -> bundles can not be deployed into osgi as two libraries are exporting the 
same packages
   
   
   Solution:
   
   best solution is to change name of one of these packages (probably in 
module zookeeper-jute - which us used only by zookeeper) - but question is, 
whether this change is feasible
   only other solution is to create only one bundle (e.g. zookeeper-osgi), 
which will contain both libraries together and will expose their both packages 
at the same time (similar approach is used in e.g. hibernate-osgi, 
httpcore-osgi, httpclient-osgi)
   
   Solution #1 is a better solution, I would like to ask for your opinion about 
feasibility of renaming zookeeper-jute generated packages to not collide with 
zookeeper-server. 
   (As these packages are to be used only for zookeeper, it shouldn't cause any 
harm)
   
   If #1 is not acceptable, then we can go with #2. But I highly suggest to 
consider renaming of zookeeper-jute's packages in the nearest point in the 
future as possible and return to solution #1.
   
   Best regards,
   
   jiri
   
   
   [1] https://issues.apache.org/jira/browse/ZOOKEEPER-3389
   [2] https://github.com/apache/zookeeper/pull/945
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493017349
 
 
   @nkalmar I've just asked for subscription to dev mailing list, then I'd be 
able to send an email there.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] nkalmar edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
nkalmar edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493015133
 
 
   We would still need to solve it for 3.5 branch. 
   So, for me, creating a zookeeper-osgi seems the way to go, but this should 
be voted on the zookeeper-dev mail list.
   
   Can you write an email to the dev list @JiangJiafu with your findings?
   
   A short summary, and then you can link this PR.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] nkalmar commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
nkalmar commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all 
required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493015133
 
 
   We would still need to solve it for 3.5 branch. 
   So, for me, creating a zookeeper-osgi seems the way to go, but this should 
be voted on the zookeeper-dev mail list.
   
   Can you write an email to the dev list @JiangJiafu with your findings?


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does 
not export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493012808
 
 
   @eolivelli @nkalmar 
   I've found problem with current approach (2 bundles, one is server and 
second is jute)
   Problem:
   - zookeeper-jute has package 'org.apache.zookeeper.data', it has to be 
exported for zookeeper-server to use it
   - zookeeper-server contais also package 'org.apache.zookeeper.data', which 
has to be exported, because it is use from packages like org.apache.zookeeper
   -> bundles can not be deployed into karaf as two libraries are exporting the 
same packages
   
   Solution:
   - best solution is to change name of one of these packages (probably in 
zookeeper-jute - which us used only by zookeeper) - but as @eolivelli wrote: 
"Yes changing the package name is feasible but only for 3.6+."
   - only other solution is to create only one bundle (e.g. zookeeper-osgi), 
which will contain both libraries together and will expose theit both packages 
at the same time
   (simillar approach is used in e.g. hibernate-osgi, httpcore-osgi, 
httpclient-osgi)
   
   But with the fact that in the 3.6+ version renaming is possible so we can 
use solution #1 from 3.6+ as it is a better solution, i would like to ask on 
your opinion about current version.
   Is renaming of jute's packages really unreal. Is creation of zookeeper-osgi 
library the only solution?


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-493012808
 
 
   @eolivelli @nkalmar 
   I've found problem with current approach (2 bundles, one is server and 
second is jute)
   Problem:
   - zookeeper-jute has package 'org.apache.zookeeper.data', it has to be 
exported for zookeeper-server to use it
   - zookeeper-server contais also package 'org.apache.zookeeper.data', which 
has to be exported, because it is use from packages like org.apache.zookeeper
   -> bundles can not be deployed into karaf as two libraries are exporting the 
same packages
   Solution:
   - best solution is to change name of one of these packages (probably in 
zookeeper-jute - which us used only by zookeeper) - but as @eolivelli wrote: 
"Yes changing the package name is feasible but only for 3.6+."
   - only other solution is to create only one bundle (e.g. zookeeper-osgi), 
which will contain both libraries together and will expose theit both packages 
at the same time
   (simillar approach is used in e.g. hibernate-osgi, httpcore-osgi, 
httpclient-osgi)
   
   But with the fact that in the 3.6+ version renaming is possible so we can 
use solution #1 from 3.6+ as it is a better solution, i would like to ask on 
your opinion about current version.
   Is renaming of jute's packages really unreal. Is creation of zookeeper-osgi 
library the only solution?


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] anmolnar commented on a change in pull request #899: ZOOKEEPER-3354: Improve efficiency of DeleteAllCommand

2019-05-16 Thread GitBox 
anmolnar commented on a change in pull request #899: ZOOKEEPER-3354: Improve 
efficiency of DeleteAllCommand
URL: https://github.com/apache/zookeeper/pull/899#discussion_r284615207
 
 

 ##
 File path: zookeeper-server/src/main/java/org/apache/zookeeper/ZKUtil.java
 ##
 @@ -45,20 +48,71 @@
  *
  * @throws IllegalArgumentException if an invalid path is specified
  */
-public static void deleteRecursive(ZooKeeper zk, final String pathRoot)
+public static boolean deleteRecursive(ZooKeeper zk, final String pathRoot)
 throws InterruptedException, KeeperException
 {
 PathUtils.validatePath(pathRoot);
 
 List tree = listSubTreeBFS(zk, pathRoot);
 LOG.debug("Deleting " + tree);
 LOG.debug("Deleting " + tree.size() + " subnodes ");
-for (int i = tree.size() - 1; i >= 0 ; --i) {
-//Delete the leaves first and eventually get rid of the root
-zk.delete(tree.get(i), -1); //Delete all versions of the node with 
-1.
+
+int asyncReqRateLimit = 10;
+// Try deleting the tree nodes in batches of size 1000.
 
 Review comment:
   I like (2)
   Let it be 1000 by default and make overridable with an optional parameter.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Re: Question about security configuration (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 6)

2019-05-16 Thread Andor Molnar 
Hi Raul,

Thanks for the analysis. Let me ask a few questions, because I see some
things that need to be clarified first.

1. This issue is only about server-client SSL scenario (not Quorum TLS), so
it's possibly a regression in 3.5. Is that correct?
2. When running all Pravega tests against an external ZooKeeper standalone
server, all tests passed including SSL/nonSSL. Is that correct?
3. SSL tests are failing when ZooKeeper is running inside the test process?
4. You verified it by running ZooKeeper in standalone mode, SSL-enabled and
according to the log snippet, your client has connected successfully, but
later timed out. Is that right?
5. Have you verified client-server SSL config with real (3-node) cluster
with zkCli.sh?
6. Would you please provide the server side logs as well, maybe it sheds
some light why the client timed out?

Thanks,
Andor




On Thu, May 16, 2019 at 10:25 AM Gracia, Raul  wrote:

> Hi all,
>
> My name is Raúl Gracia and I work in the Pravega project (open-source
> project for data stream storage): http://pravega.io/.
>
> I'm currently working on a Pravega branch using "zookeeper-3.5.5-rc6", as
> we are interested on allowing Curator (4.0.1) to use a Zookeeper version
> with the bugfix proposed in ZOOKEEPER-2184<
> https://issues.apache.org/jira/browse/ZOOKEEPER-2184>. The integration
> has been pretty smooth and 99% of tests are successful in a Pravega build,
> and the original issue that motivated the upgrade to zookeeper-3.5.5 seems
> also solved.
>
> However, there are failures related to a specific type of tests in Pravega
> in which we instantiate a Zookeeper server process (for testing Pravega in
> standalone mode). Such failures only occur when running the standalone
> tests with SSL enabled, which includes configuring the Zookeeper server
> process with SSL as well.
>
> To constrain the scope of the problem, I have built zookeeper-3.5.5-rc6
> ("mvn package") and executed the server (e.g., "./bin/zkServer.sh start")
> with the appropriate security configuration to enable SSL:
> export SERVER_JVMFLAGS="
>
> -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> -Dzookeeper.ssl.keyStore.location=.../server.keystore.jks
> -Dzookeeper.ssl.keyStore.password=password
> -Dzookeeper.ssl.trustStore.location=.../client.truststore.jks
> -Dzookeeper.ssl.trustStore.password= password"
> (I have also added secureClientPort=2281 in zoo.cfg as indicated in the
> admin instructions)
>
> With the Zookeeper server running separately, I executed all the Pravega
> standalone tests (with and without SSL) pointing that external Zookeeper
> server (and disabling the Zookeeper server process that was created as part
> of the test workflow). Regarding configuration, in our tests the clients
> are configured with the recommended security settings in the administration
> guide:
> System.setProperty("zookeeper.client.secure", "true");
> System.setProperty("zookeeper.clientCnxnSocket",
> "org.apache.zookeeper.ClientCnxnSocketNetty");
> System.setProperty("zookeeper.ssl.trustStore.location",
> .../client.truststore.jks");
> System.setProperty("zookeeper.ssl.trustStore.password", "password ");
> System.setProperty("zookeeper.ssl.keyStore.location",
> ".../server.keystore.jks");
> System.setProperty("zookeeper.ssl.keyStore.password", "password ");
>
> In this case, all the Pravega standalone tests succeeded.
>
> This leaves us the way we are configuring SSL in the Zookeeper server
> process in Pravega standalone as the most plausible cause for the problem.
> This is intriguing, as the security settings used are the same in both
> scenarios (zkServer.sh / Zookeeper server process started in the test code).
>
> I have also confirmed this by running the Zookeeper server process used in
> standalone with/without SSL and connecting to it via the zkCli. Without SSL
> configured I can connect properly to it, whereas with SSL enabled I get the
> following error in the client:
>
> 2019-05-15 19:59:40,479 [myid:] - INFO  [main:ZooKeeper@868] - Initiating
> client connection, connectString=localhost:2281 sessionTimeout=3
> watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@621be5d1 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@621be5d1>
> 2019-05-15 19:59:40,507 [myid:] - INFO  [main:X509Util@79] - Setting -D
> jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated
> TLS renegotiation
> 2019-05-15 19:59:40,791 [myid:] - INFO  [main:ClientCnxnSocket@237] -
> jute.maxbuffer value is 4194304 Bytes
> 2019-05-15 19:59:40,798 [myid:] - INFO  [main:ClientCnxn@1653] -
> zookeeper.request.timeout value is 0. feature enabled=
> 2019-05-15 19:59:40,817 [myid:localhost:2281] - INFO
> [main-SendThread(localhost:2281):ClientCnxn$SendThread@1112] - Opening
> socket connection to server localhost/127.0.0.1:2281. Will not attempt to
> authenticate using SASL (unknown error)
> Welcome to ZooKeeper!
> JLine support is enabled
> [zk: localhost:2281(CONNECTING) 0] 2019-05-15

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-492984271
 
 
   I was able to install manually zookeeper with curator. But I had to change a 
little bit export-packages in zookeeper-server, which throws now warning during 
build about package "org.apache.zookeeper.data".
   
   Warning message looks like:
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper,  has 1,  
private references [org.apache.zookeeper.data]
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper.cli,  has 1,  
private references [org.apache.zookeeper.data]
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper.client,  has 
1,  private references [org.apache.zookeeper.data]
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper.server,  has 
1,  private references [org.apache.zookeeper.data]
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper.server.auth,  
has 1,  private references [org.apache.zookeeper.data]
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper.server.quorum, 
 has 1,  private references [org.apache.zookeeper.data]
   zookeeper:bundle:3.6.0-SNAPSHOT : Export org.apache.zookeeper.proto,  has 1, 
 private references [org.apache.zookeeper.data]
   
   Meaning of this warning is, that some classes from zookeeper (zookeeper.cli, 
...) for example returns classes from package "org.apache.zookeeper.data" which 
is not exported from the bundle.
   I have to solve this minor thing.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-492974467
 
 
   @nkalmar I've added OSGi support to zookeeper-jute. I had to change 
pockaging to bundle as well, but in maven environment it behaves still  as jar 
packaging.
   @eolivelli I think that it is possible to prepare integration test. I'll try 
to verify both bundles manually (that they could be deployed) I've talked to 
@grgrzybek and he could possibly help with integration test.
   
   I think that current state is, that both jars (z-server and z-jute) are also 
osgi bundles. Now I plan to fine tuning dependencies during manual installation.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] nkalmar commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
nkalmar commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all 
required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-492971219
 
 
   What I meant in "private package" is that we do not expose any of this to 
clients. Jute is only used to serialize messages between ZooKeeper nodes, 
client does not use Jute for serialization. 
   In theory, anyone could use zookeeper-jute for serialization, in reality, no 
one will and no one should. But it was agreed upon jute should be a different 
module still. And on a side note, some want to replace jute with a more recent 
and actively developed serialization library like protobuf or avro. 
   But, for now, jute is here to stay, and it might only be replaced in a new 
major version (like 4.0.0).
   
   Anyway, thanks again for looking into this, the merge stuff sounds good!


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Question about security configuration (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 6)

2019-05-16 Thread Gracia, Raul 
Hi all,

My name is Raúl Gracia and I work in the Pravega project (open-source project 
for data stream storage): http://pravega.io/.

I'm currently working on a Pravega branch using "zookeeper-3.5.5-rc6", as we 
are interested on allowing Curator (4.0.1) to use a Zookeeper version with the 
bugfix proposed in 
ZOOKEEPER-2184. The 
integration has been pretty smooth and 99% of tests are successful in a Pravega 
build, and the original issue that motivated the upgrade to zookeeper-3.5.5 
seems also solved.

However, there are failures related to a specific type of tests in Pravega in 
which we instantiate a Zookeeper server process (for testing Pravega in 
standalone mode). Such failures only occur when running the standalone tests 
with SSL enabled, which includes configuring the Zookeeper server process with 
SSL as well.

To constrain the scope of the problem, I have built zookeeper-3.5.5-rc6 ("mvn 
package") and executed the server (e.g., "./bin/zkServer.sh start") with the 
appropriate security configuration to enable SSL:
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=.../server.keystore.jks
-Dzookeeper.ssl.keyStore.password=password
-Dzookeeper.ssl.trustStore.location=.../client.truststore.jks
-Dzookeeper.ssl.trustStore.password= password"
(I have also added secureClientPort=2281 in zoo.cfg as indicated in the admin 
instructions)

With the Zookeeper server running separately, I executed all the Pravega 
standalone tests (with and without SSL) pointing that external Zookeeper server 
(and disabling the Zookeeper server process that was created as part of the 
test workflow). Regarding configuration, in our tests the clients are 
configured with the recommended security settings in the administration guide:
System.setProperty("zookeeper.client.secure", "true");
System.setProperty("zookeeper.clientCnxnSocket", 
"org.apache.zookeeper.ClientCnxnSocketNetty");
System.setProperty("zookeeper.ssl.trustStore.location", 
.../client.truststore.jks");
System.setProperty("zookeeper.ssl.trustStore.password", "password ");
System.setProperty("zookeeper.ssl.keyStore.location", 
".../server.keystore.jks");
System.setProperty("zookeeper.ssl.keyStore.password", "password ");

In this case, all the Pravega standalone tests succeeded.

This leaves us the way we are configuring SSL in the Zookeeper server process 
in Pravega standalone as the most plausible cause for the problem. This is 
intriguing, as the security settings used are the same in both scenarios 
(zkServer.sh / Zookeeper server process started in the test code).

I have also confirmed this by running the Zookeeper server process used in 
standalone with/without SSL and connecting to it via the zkCli. Without SSL 
configured I can connect properly to it, whereas with SSL enabled I get the 
following error in the client:

2019-05-15 19:59:40,479 [myid:] - INFO  [main:ZooKeeper@868] - Initiating 
client connection, connectString=localhost:2281 sessionTimeout=3 
watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@621be5d1
2019-05-15 19:59:40,507 [myid:] - INFO  [main:X509Util@79] - Setting -D 
jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS 
renegotiation
2019-05-15 19:59:40,791 [myid:] - INFO  [main:ClientCnxnSocket@237] - 
jute.maxbuffer value is 4194304 Bytes
2019-05-15 19:59:40,798 [myid:] - INFO  [main:ClientCnxn@1653] - 
zookeeper.request.timeout value is 0. feature enabled=
2019-05-15 19:59:40,817 [myid:localhost:2281] - INFO  
[main-SendThread(localhost:2281):ClientCnxn$SendThread@1112] - Opening socket 
connection to server localhost/127.0.0.1:2281. Will not attempt to authenticate 
using SASL (unknown error)
Welcome to ZooKeeper!
JLine support is enabled
[zk: localhost:2281(CONNECTING) 0] 2019-05-15 19:59:41,168 
[myid:localhost:2281] - INFO  
[epollEventLoopGroup-2-1:ClientCnxnSocketNetty$ZKClientPipelineFactory@460] - 
SSL handler added for channel: [id: 0x7bf11dfa]
2019-05-15 19:59:41,176 [myid:localhost:2281] - INFO  
[epollEventLoopGroup-2-1:ClientCnxn$SendThread@959] - Socket connection 
established, initiating session, client: /127.0.0.1:52652, server: 
localhost/127.0.0.1:2281
2019-05-15 19:59:41,178 [myid:localhost:2281] - INFO  
[epollEventLoopGroup-2-1:ClientCnxnSocketNetty$1@188] - channel is connected: 
[id: 0x7bf11dfa, L:/127.0.0.1:52652 - R:localhost/127.0.0.1:2281]
2019-05-15 19:59:41,614 [myid:localhost:2281] - INFO  
[epollEventLoopGroup-2-1:ClientCnxn$SendThread@1394] - Session establishment 
complete on server localhost/127.0.0.1:2281, sessionid = 0x10002239ae1, 
negotiated timeout = 3
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: localhost:2281(CONNECTED) 0] ls /
2019-05-15 20:00:01,616 [myid:localhost:2281] - WARN

[GitHub] [zookeeper] JiriOndrusek edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek edited a comment on issue #945: [ZOOKEEPER-3389] Zookeeper does 
not export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-492933860
 
 
   @eolivelli 
   Ok, i'll continue with osgi packaging. I'll apply this also to 
zookeeper-jute and somehow solve "the same package name" problem in the way as 
described in my previous post.
   
   Integration test validating that OSGi is working, would be really nice.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not export all required packages in OSGi (needed for curator)

2019-05-16 Thread GitBox 
JiriOndrusek commented on issue #945: [ZOOKEEPER-3389] Zookeeper does not 
export all required packages in OSGi (needed for curator)
URL: https://github.com/apache/zookeeper/pull/945#issuecomment-492933860
 
 
   @eolivelli 
   Ok, i'll continue with osgi packaging. I'll apply this also to 
zookeeper-jute and somehow solve "the same package name" problem in the way as 
described in my previous post.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services