[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629274#comment-16629274 ] Enrico Olivelli commented on ZOOKEEPER-3156: I see the problem. So you have already a patch? Maybe a good idea is to add a client configuration flag or system property. > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629283#comment-16629283 ] Andor Molnar commented on ZOOKEEPER-3156: - I like the idea of having a configuration switch for that, because I'm not entirely sure what would be the right behaviour. [~revans2] Do you have a patch already? > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[
https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629288#comment-16629288
]
Andor Molnar commented on ZOOKEEPER-3156:
-
Is this the logic that we're talking about?
{code:java}
if (ZooKeeperSaslClient.isEnabled()) {
try {
String principalUserName = System.getProperty(
ZK_SASL_CLIENT_USERNAME, "zookeeper");
zooKeeperSaslClient =
new ZooKeeperSaslClient(
principalUserName+"/"+addr.getHostName());
...{code}
> ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
> ---
>
> Key: ZOOKEEPER-3156
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
>Affects Versions: 3.6.0, 3.4.13, 3.5.5
>Reporter: Robert Joseph Evans
>Assignee: Robert Joseph Evans
>Priority: Blocker
>
> Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured
> host name before creating the SASL client which is used to create the
> principal name. After ZOOKEEPER-2184 that canonicalization does not happen
> so the principal that the ZK client tries to use when it is configured to
> talk to a CName is different between 3.4.13 and all previous versions of ZK.
>
> For example
>
> zk1.mycluster.mycompany.com maps to real-node.mycompany.com.
>
> 3.4.13 will want the server to have
> [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com]
> 3.4.12 wants the server to have
> [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com]
>
> This makes 3.4.13 incompatible with many ZK setups currently in existence.
> It would be nice to have that resolution be optional because in some cases it
> might be nice to have a single principal tied to the cname.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629340#comment-16629340 ] Andor Molnar commented on ZOOKEEPER-3156: - We should use getCanonicalHostName() to force reverse ip lookup and get the FQDN of the server according to this javadoc: https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html#getCanonicalHostName() Introducing a switch to enable reverse dns lookups would be inline with Kerberos client behaviour: http://web.mit.edu/kerberos/krb5-current/doc/admin/princ_dns.html In the krb5 client you can disable canonicalization with rdns=false setting. > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16631671#comment-16631671 ] Andor Molnar commented on ZOOKEEPER-3156: - [~revans2] Any thoughts? > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[
https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16632211#comment-16632211
]
Robert Joseph Evans commented on ZOOKEEPER-3156:
[~andorm],
Sorry I was on a plane all day yesterday so I didn't respond sooner. I have
been doing some debugging trying to get a patch, but I have not come up with
one yet. I originally wanted to see if I could match the behavior from before
by moving the host name resolution code later in the process, but despite the
data structures being the same it is not possible as some information is lost
in the current process. I think having a flag that would optionally call
{{getCannicalHostName}} would be great. If someone else has a patch I am happy
to test it out, otherwise I will put together a patch myself.
Be aware though that a global flag is not 100% backwards compatible, and there
is a very small possibility that a single process will want to talk to multiple
different zookeeper ensembles, i.e. apache storm + older kafka client, which
could run into an issue where each ensemble wants something different. It is a
small enough chance, and there are ways to work around it so I am fine with it,
but it is possible.
> ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
> ---
>
> Key: ZOOKEEPER-3156
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
>Affects Versions: 3.6.0, 3.4.13, 3.5.5
>Reporter: Robert Joseph Evans
>Assignee: Robert Joseph Evans
>Priority: Blocker
>
> Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured
> host name before creating the SASL client which is used to create the
> principal name. After ZOOKEEPER-2184 that canonicalization does not happen
> so the principal that the ZK client tries to use when it is configured to
> talk to a CName is different between 3.4.13 and all previous versions of ZK.
>
> For example
>
> zk1.mycluster.mycompany.com maps to real-node.mycompany.com.
>
> 3.4.13 will want the server to have
> [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com]
> 3.4.12 wants the server to have
> [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com]
>
> This makes 3.4.13 incompatible with many ZK setups currently in existence.
> It would be nice to have that resolution be optional because in some cases it
> might be nice to have a single principal tied to the cname.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16632380#comment-16632380 ] Andor Molnar commented on ZOOKEEPER-3156: - [~revans2] Thanks for looking into this. As long as you're the assignee of this Jira, I'm happy to wait for your pull request to review. Regarding backwards compatibility: "...could run into an issue where each ensemble wants something different" This wasn't supported previously either: meaning that previous versions always did reverse IP lookups, so basically followed the behaviour that you mentioned as 3.4.12. Therefore I don't think the fix could cause backward compatibility issues as long as the default behaviour is the original (rnds=true). Let's try to wrap up what I think happened here: - Previous versions of ZooKeeper (up to 3.4.12) did DNS resolution upfront and returned the pure IP address to upper layers like the SASL client. The original implementation stripped the hostname from the InetSocketAddress after name resolution and created a new one with only IP address and port number, - This was fine for connecting the client to the server, because it only needs the IP address, - It forced the SASL client to do reverse DNS lookup by calling getHostName(), - The current behaviour, which I think is the right approach, creates new InetSocketAddress with the resolved IP address and the original hostname, so upper layers don't need to do reverse lookup. With the new switch and using getCanonicalHostName() in the SASL client we can enforce the reverse lookup which is needed here. > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16632482#comment-16632482 ] Robert Joseph Evans commented on ZOOKEEPER-3156: OK I have a patch up for 3.4 and if it looks good I am happy to port it to all release lines. [https://github.com/apache/zookeeper/pull/648] I have a few questions though. # I have canonicalization on by default, is that what we want? # Is there some place that I can document the new System property that I added? > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16675821#comment-16675821 ] Hudson commented on ZOOKEEPER-3156: --- FAILURE: Integrated in Jenkins build Zookeeper-trunk-single-thread #94 (See [https://builds.apache.org/job/Zookeeper-trunk-single-thread/94/]) ZOOKEEPER-3156: Add in option to canonicalize host name (andor: rev 83fd6e298dda420125f8be35fda68cb226b0ee05) * (add) zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java * (edit) zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java * (edit) zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java * (add) zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > Labels: pull-request-available > Fix For: 3.6.0, 3.5.5, 3.4.14 > > Time Spent: 12h > Remaining Estimate: 0h > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16675917#comment-16675917 ] Hudson commented on ZOOKEEPER-3156: --- SUCCESS: Integrated in Jenkins build ZooKeeper-trunk #256 (See [https://builds.apache.org/job/ZooKeeper-trunk/256/]) ZOOKEEPER-3156: Add in option to canonicalize host name (andor: rev 83fd6e298dda420125f8be35fda68cb226b0ee05) * (edit) zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java * (edit) zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java * (add) zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java * (add) zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java > ZOOKEEPER-2184 causes kerberos principal to not have resolved host name > --- > > Key: ZOOKEEPER-3156 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156 > Project: ZooKeeper > Issue Type: Bug > Components: java client >Affects Versions: 3.6.0, 3.4.13, 3.5.5 >Reporter: Robert Joseph Evans >Assignee: Robert Joseph Evans >Priority: Blocker > Labels: pull-request-available > Fix For: 3.6.0, 3.5.5, 3.4.14 > > Time Spent: 12h > Remaining Estimate: 0h > > Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured > host name before creating the SASL client which is used to create the > principal name. After ZOOKEEPER-2184 that canonicalization does not happen > so the principal that the ZK client tries to use when it is configured to > talk to a CName is different between 3.4.13 and all previous versions of ZK. > > For example > > zk1.mycluster.mycompany.com maps to real-node.mycompany.com. > > 3.4.13 will want the server to have > [zookeeper/zk1.mycluster@kdc.mycompany.com|mailto:zookeeper/zk1.mycluster@kdc.mycompany.com] > 3.4.12 wants the server to have > [zookeeper/real-node.mycompany@kdc.mycompany.com|mailto:zookeeper/real-node.mycompany@kdc.mycompany.com] > > This makes 3.4.13 incompatible with many ZK setups currently in existence. > It would be nice to have that resolution be optional because in some cases it > might be nice to have a single principal tied to the cname. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
