[jira] [Comment Edited] (ZOOKEEPER-2297) NPE is thrown while creating "key manager" and "trust manager"
[
https://issues.apache.org/jira/browse/ZOOKEEPER-2297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15110355#comment-15110355
]
Flavio Junqueira edited comment on ZOOKEEPER-2297 at 1/21/16 9:53 AM:
--
I'm sorry guys for chiming in late, but as it stands, I'm -1 on this change.
There are two points that are bothering me here:
# If we are to change configuration, even when the branch is not yet stable
like 3.5, we need to bring the issue up on the user list to collect feedback.
We can't expect users to be aware of discussions in jiras like this one and it
affects them.
# I don't like the configuration change. We could use the secure client port
parameter to determine whether the user is trying to configure secure
communication or even create a boolean parameter to make it more explicit, like
having {{zookeeper.client.secure}} on the server side as well. The bottom line
is that I'd rather infer from a configuration parameter that the user is trying
to make it secure rather than force the user to set such a cumbersome variable.
Also, this is focusing on SSL, but this change affects SASL as well, yes?
My suggestion is to work on those points and for the second, to produce a new
patch that fixes the configuration.
was (Author: fpj):
I'm sorry guys for chiming in late, but as it stands, I'm -1 on this change as
is. There are two points that are bothering me here:
# If we are to change configuration, even when the branch is not yet stable
like 3.5, we need to bring the issue up on the user list to collect feedback.
We can't expect users to be aware of discussions in jiras like this one and it
affects them.
# I don't like the configuration change. We could use the secure client port
parameter to determine whether the user is trying to configure secure
communication or even create a boolean parameter to make it more explicit, like
having {{zookeeper.client.secure}} on the server side as well. The bottom line
is that I'd rather infer from a configuration parameter that the user is trying
to make it secure rather than force the user to set such a cumbersome variable.
Also, this is focusing on SSL, but this change affects SASL as well, yes?
My suggestion is to work on those points and for the second, to produce a new
patch that fixes the configuration.
> NPE is thrown while creating "key manager" and "trust manager"
> ---
>
> Key: ZOOKEEPER-2297
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2297
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
>Affects Versions: 3.5.1
> Environment: Suse 11 sp 3
>Reporter: Anushri
>Assignee: Arshad Mohammad
>Priority: Minor
> Fix For: 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2297-01.patch, ZOOKEEPER-2297-02.patch,
> ZOOKEEPER-2297-03.patch
>
>
> NPE is thrown while creating "key manager" and "trust manager" , even though
> the zk setup is in non-secure mode
> bq. 2015-10-19 12:54:12,278 [myid:2] - ERROR [ProcessThread(sid:2
> cport:-1)::X509AuthenticationProvider@78] - Failed to create key manager
> bq. org.apache.zookeeper.common.X509Exception$KeyManagerException:
> java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
> at
> org.apache.zookeeper.server.auth.X509AuthenticationProvider.(X509AuthenticationProvider.java:75)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.initialize(ProviderRegistry.java:42)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.getProvider(ProviderRegistry.java:68)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.fixupACL(PrepRequestProcessor.java:952)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.pRequest2Txn(PrepRequestProcessor.java:379)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.pRequest(PrepRequestProcessor.java:716)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.run(PrepRequestProcessor.java:144)
> Caused by: java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:113)
> ... 7 more
> bq. 2015-10-19 12:54:12,279 [myid:2] - ERROR [ProcessThread(sid:2
> cport:-1)::X509AuthenticationProvider@90] - Failed to create trust manager
> bq. org.apache.zookeeper.common.X509Exception$TrustManagerException:
> java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createTrustManager(X509Util.java:158)
> at
> org.apache.zookeeper.server.auth.X509AuthenticationProvider.(X509AuthenticationProvider.java:87)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.initialize(ProviderRegistry.java:42)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.getProvider(ProviderRegistry.java:68)
> at
> org.apache.zookeeper.serve
[jira] [Comment Edited] (ZOOKEEPER-2297) NPE is thrown while creating "key manager" and "trust manager"
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15110482#comment-15110482 ] Flavio Junqueira edited comment on ZOOKEEPER-2297 at 1/21/16 11:59 AM: --- bq. I will send a mail in the user/dev mailing list about this once agree upon the changes. I'd hold on to the e-mail until we converge on a proposal. bq. To make it clear, this jira is changing zookeeper server side configuration only. Now, with this change user need to mandatory configure the SSL scheme name "x509" along with the other SSL configurations. Earlier "x509" was instantiated by default, irrespective of secure or non-secure. So user not required to configure this explicitly. I got that and if we think that we will have other providers in the future, then we certainly need a way of configuring it. bq. The proposed change is similar to the way configuring the SASL auth mechanism. More or less. For authentication, we need to specify the provider among IP, Digest/Passwd, SASL. In that case, we do need that parameter explicitly, and if I'm passing a SaslAuthProvider parameter, then it is pretty clear that I want SASL authentication. Passing a X509AuthenticationProvider parameter doesn't make it clear the intent of the user with respect to SSL and given that we only have one option at the moment, sounds unnecessary. bq. I failed to find any dependency with SASL if you check the stack trace in the description of this jira, then this provider issue has arisen with a call to fixupACL in prep request processor. The ACL stuff depends on the authentication to work, and actually, I should have said authentication in general rather than just SASL. It'd be good to test both SSL and SASL together. was (Author: fpj): bq. I will send a mail in the user/dev mailing list about this once agree upon the changes. I'd hold on the e-mail until we converge on a proposal. bq. To make it clear, this jira is changing zookeeper server side configuration only. Now, with this change user need to mandatory configure the SSL scheme name "x509" along with the other SSL configurations. Earlier "x509" was instantiated by default, irrespective of secure or non-secure. So user not required to configure this explicitly. I got that and if we think that we will have other providers in the future, then we certainly need a way of configuring it. bq. The proposed change is similar to the way configuring the SASL auth mechanism. More or less. For authentication, we need to specify the provider among IP, Digest/Passwd, SASL. In that case, we do need that parameter explicitly, and if I'm passing a SaslAuthProvider parameter, then it is pretty clear that I want SASL authentication. Passing a X509AuthenticationProvider parameter doesn't make it clear the intent of the user with respect to SSL and given that we only have one option at the moment, sounds unnecessary. bq. I failed to find any dependency with SASL if you check the stack trace in the description of this jira, then this provider issue has arisen with a call to fixupACL in prep request processor. The ACL stuff depends on the authentication to work, and actually, I should have said authentication in general rather than just SASL. It'd be good to test both SSL and SASL together. > NPE is thrown while creating "key manager" and "trust manager" > --- > > Key: ZOOKEEPER-2297 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2297 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.5.1 > Environment: Suse 11 sp 3 >Reporter: Anushri >Assignee: Arshad Mohammad >Priority: Blocker > Fix For: 3.5.2, 3.6.0 > > Attachments: ZOOKEEPER-2297-01.patch, ZOOKEEPER-2297-02.patch, > ZOOKEEPER-2297-03.patch > > > NPE is thrown while creating "key manager" and "trust manager" , even though > the zk setup is in non-secure mode > bq. 2015-10-19 12:54:12,278 [myid:2] - ERROR [ProcessThread(sid:2 > cport:-1)::X509AuthenticationProvider@78] - Failed to create key manager > bq. org.apache.zookeeper.common.X509Exception$KeyManagerException: > java.lang.NullPointerException > at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129) > at > org.apache.zookeeper.server.auth.X509AuthenticationProvider.(X509AuthenticationProvider.java:75) > at > org.apache.zookeeper.server.auth.ProviderRegistry.initialize(ProviderRegistry.java:42) > at > org.apache.zookeeper.server.auth.ProviderRegistry.getProvider(ProviderRegistry.java:68) > at > org.apache.zookeeper.server.PrepRequestProcessor.fixupACL(PrepRequestProcessor.java:952) > at > org.apache.zookeeper.server.PrepRequestProcessor.pRequest2Txn(PrepReques
[jira] [Comment Edited] (ZOOKEEPER-2297) NPE is thrown while creating "key manager" and "trust manager"
[
https://issues.apache.org/jira/browse/ZOOKEEPER-2297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346212#comment-15346212
]
Flavio Junqueira edited comment on ZOOKEEPER-2297 at 6/23/16 10:08 AM:
---
I'm good with the patch, except that:
{noformat}
"No auth provider configured for configured SSL authenticaiton scheme '"
{noformat}
still has typos, I think it should be:
{noformat}
"No auth provider configured for the SSL authentication scheme "
{noformat}
was (Author: fpj):
I'm good with the patch, except that:
{noformat}
"No auth provider configured for configured SSL authenticaiton scheme '"
{noformat}
still has typos, I think it should be:
{noformat}
"No auth provider configured for the SSL authentication scheme '"
{noformat}
> NPE is thrown while creating "key manager" and "trust manager"
> ---
>
> Key: ZOOKEEPER-2297
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2297
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
>Affects Versions: 3.5.1
> Environment: Suse 11 sp 3
>Reporter: Anushri
>Assignee: Arshad Mohammad
>Priority: Blocker
> Fix For: 3.6.0, 3.5.3
>
> Attachments: ZOOKEEPER-2297-01.patch, ZOOKEEPER-2297-02.patch,
> ZOOKEEPER-2297-03.patch, ZOOKEEPER-2297-04.patch, ZOOKEEPER-2297-06.patch,
> ZOOKEEPER-2297-07.patch, ZOOKEEPER-2297-08.patch
>
>
> NPE is thrown while creating "key manager" and "trust manager" , even though
> the zk setup is in non-secure mode
> bq. 2015-10-19 12:54:12,278 [myid:2] - ERROR [ProcessThread(sid:2
> cport:-1)::X509AuthenticationProvider@78] - Failed to create key manager
> bq. org.apache.zookeeper.common.X509Exception$KeyManagerException:
> java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:129)
> at
> org.apache.zookeeper.server.auth.X509AuthenticationProvider.(X509AuthenticationProvider.java:75)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.initialize(ProviderRegistry.java:42)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.getProvider(ProviderRegistry.java:68)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.fixupACL(PrepRequestProcessor.java:952)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.pRequest2Txn(PrepRequestProcessor.java:379)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.pRequest(PrepRequestProcessor.java:716)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.run(PrepRequestProcessor.java:144)
> Caused by: java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:113)
> ... 7 more
> bq. 2015-10-19 12:54:12,279 [myid:2] - ERROR [ProcessThread(sid:2
> cport:-1)::X509AuthenticationProvider@90] - Failed to create trust manager
> bq. org.apache.zookeeper.common.X509Exception$TrustManagerException:
> java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createTrustManager(X509Util.java:158)
> at
> org.apache.zookeeper.server.auth.X509AuthenticationProvider.(X509AuthenticationProvider.java:87)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.initialize(ProviderRegistry.java:42)
> at
> org.apache.zookeeper.server.auth.ProviderRegistry.getProvider(ProviderRegistry.java:68)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.fixupACL(PrepRequestProcessor.java:952)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.pRequest2Txn(PrepRequestProcessor.java:379)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.pRequest(PrepRequestProcessor.java:716)
> at
> org.apache.zookeeper.server.PrepRequestProcessor.run(PrepRequestProcessor.java:144)
> Caused by: java.lang.NullPointerException
> at org.apache.zookeeper.common.X509Util.createTrustManager(X509Util.java:143)
> ... 7 more
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
