[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15702915#comment-15702915 ] Michael Han commented on ZOOKEEPER-2346: bq. One way to make this testable would be to have the server return the auth failed error code in the reply header, instead of just sending a null token. I think this is what I am actually doing in ZOOKEEPER-1634 - client would now get typed keeper exception such as AuthFailed rather than getting a ConnectionLoss exception which is too generic for client such as Curator to handle as ConnectionLoss could be caused by many things. I added tests / updated existing ones so the tests verify that an expected type of KeeperException will be observed on client side, instead of the generic ConnectionLoss exception, which is the key benefit of the change proposed here (to have server gracefully ask client to close cnx instead of having server itself do it.). bq. The C client doesn't have SASL support. Good point - I forgot the context here is this JIRA instead of ZOOKEEPER-1634 where i do need C tests for regression :) > SASL Auth failure manifested to client as connection refusal > > > Key: ZOOKEEPER-2346 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.4.6 >Reporter: Steve Loughran >Assignee: Meyer Kizner > Attachments: ZOOKEEPER-2346.patch, ZOOKEEPER-2346.patch > > > If a client can't authenticate via sasl then (a) the stack trace is lost on > the server logs, and (b) it is exposed to the client as a connection refusal. > This results in curator retrying many times before giving up —and with the > cause being misinterpreted as a server-down problem, rather than a > client-not-trusted problem -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15702817#comment-15702817 ] Meyer Kizner commented on ZOOKEEPER-2346: - It's a little difficult to write a regression test for this issue specifically, because the bug is a race condition, so two different behaviors can be observed. I believe the Java client already has tests for SASL authentication failure, which leads me to believe that the race will be hard to reproduce in the test--I haven't put much thought into it, though. (The C client doesn't have SASL support.) One way to make this testable would be to have the server return the auth failed error code in the reply header, instead of just sending a null token. I wasn't sure of the implications of this for compatibility, though, so I left it as is. Do you have any thoughts on that? If the patch you're working on is a superset of this change, I'd be happy to wait and review it. It would be nice to get this change in 3.4.x though. > SASL Auth failure manifested to client as connection refusal > > > Key: ZOOKEEPER-2346 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.4.6 >Reporter: Steve Loughran >Assignee: Meyer Kizner > Attachments: ZOOKEEPER-2346.patch, ZOOKEEPER-2346.patch > > > If a client can't authenticate via sasl then (a) the stack trace is lost on > the server logs, and (b) it is exposed to the client as a connection refusal. > This results in curator retrying many times before giving up —and with the > cause being misinterpreted as a server-down problem, rather than a > client-not-trusted problem -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15702802#comment-15702802 ] Hadoop QA commented on ZOOKEEPER-2346: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12840691/ZOOKEEPER-2346.patch against trunk revision d72f27279a13986ee0c011e1e5b34edf3a310da9. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 3.0.1) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/3535//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/3535//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/3535//console This message is automatically generated. > SASL Auth failure manifested to client as connection refusal > > > Key: ZOOKEEPER-2346 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.4.6 >Reporter: Steve Loughran >Assignee: Meyer Kizner > Attachments: ZOOKEEPER-2346.patch, ZOOKEEPER-2346.patch > > > If a client can't authenticate via sasl then (a) the stack trace is lost on > the server logs, and (b) it is exposed to the client as a connection refusal. > This results in curator retrying many times before giving up —and with the > cause being misinterpreted as a server-down problem, rather than a > client-not-trusted problem -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15702787#comment-15702787 ] Michael Han commented on ZOOKEEPER-2346: [~mkizner] Patch looks good - the missing part is tests (for both Java and C client). Also FYI I am using similar approach in ZOOKEEPER-1634 (work in progress), so we might want to consolidate our patches at some point if you are adding more tests. Though my change in ZOOKEEPER-1634 will be a superset of your change (including all tests) here so you could also wait and review ZOOKEEPER-1634 when it's ready. > SASL Auth failure manifested to client as connection refusal > > > Key: ZOOKEEPER-2346 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.4.6 >Reporter: Steve Loughran >Assignee: Meyer Kizner > Attachments: ZOOKEEPER-2346.patch, ZOOKEEPER-2346.patch > > > If a client can't authenticate via sasl then (a) the stack trace is lost on > the server logs, and (b) it is exposed to the client as a connection refusal. > This results in curator retrying many times before giving up —and with the > cause being misinterpreted as a server-down problem, rather than a > client-not-trusted problem -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15616964#comment-15616964 ] Michael Han commented on ZOOKEEPER-2346: [~fpj] should be able to assign the issue to you [~mkizner]. Alternatively, you can send a pull request, please refer to [this link|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Merging+Github+Pull+Requests] on how to. > SASL Auth failure manifested to client as connection refusal > > > Key: ZOOKEEPER-2346 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.4.6 >Reporter: Steve Loughran > > If a client can't authenticate via sasl then (a) the stack trace is lost on > the server logs, and (b) it is exposed to the client as a connection refusal. > This results in curator retrying many times before giving up —and with the > cause being misinterpreted as a server-down problem, rather than a > client-not-trusted problem -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15616074#comment-15616074 ] Meyer Kizner commented on ZOOKEEPER-2346: - It looks like this is a race in the code that handles SASL authentication failures. While testing out SASL on our installation, I've observed both the behavior described in this issue and a more correct version, in which the server sends a null SASL token back to the client before closing the connection. I have a short patch for this, but it doesn't look like I can upload it unless I'm assigned this issue. Can someone fix that for me? > SASL Auth failure manifested to client as connection refusal > > > Key: ZOOKEEPER-2346 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346 > Project: ZooKeeper > Issue Type: Bug > Components: server >Affects Versions: 3.4.6 >Reporter: Steve Loughran > > If a client can't authenticate via sasl then (a) the stack trace is lost on > the server logs, and (b) it is exposed to the client as a connection refusal. > This results in curator retrying many times before giving up —and with the > cause being misinterpreted as a server-down problem, rather than a > client-not-trusted problem -- This message was sent by Atlassian JIRA (v6.3.4#6332)
