Hi Jorn, Sorry for coming back late to this. I’ve just validated the scenario on my test cluster. Looks like the issue is valid: Kerberos auth and SSL are mutually exclusive currently. When Kerberos is set up and trying to connect to secure port I got an infinite loop on client side:
2019-12-17 01:43:30,984 [myid:barbaresco-1.vpc.cloudera.com:2182] - WARN [Thread-39:Login$1@197] - TGT renewal thread has been interrupted and will exit. 2019-12-17 01:43:30,987 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):Login@302] - Client successfully logged in. 2019-12-17 01:43:30,987 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [Thread-40:Login$1@135] - TGT refresh thread started. 2019-12-17 01:43:30,987 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism. 2019-12-17 01:43:30,988 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):ClientCnxn$SendThread@1112] - Opening socket connection to server barbaresco-1.vpc.cloudera.com/10.65.25.98:2182. Will attempt to SASL-authenticate using Login Context section 'Client' 2019-12-17 01:43:30,988 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):ClientCnxn$SendThread@959] - Socket connection established, initiating session, client: /10.65.25.98:45362, server: barbaresco-1.vpc.cloudera.com/10.65.25.98:2182 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [Thread-40:Login@320] - TGT valid starting at: Tue Dec 17 01:43:30 PST 2019 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [Thread-40:Login@321] - TGT expires: Thu Jan 16 01:43:30 PST 2020 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [Thread-40:Login$1@193] - TGT refresh sleeping until: Fri Jan 10 20:23:33 PST 2020 2019-12-17 01:43:30,989 [myid:barbaresco-1.vpc.cloudera.com:2182] - INFO [main-SendThread(barbaresco-1.vpc.cloudera.com:2182):ClientCnxn$SendThread@1240] - Unable to read additional data from server sessionid 0x0, likely server has closed socket, closing socket connection and attempting reconnect And the following error on server side: 2019-12-17 01:43:33,002 INFO org.apache.zookeeper.server.NettyServerCnxnFactory: SSL handler added for channel: [id: 0xcf37c14b, L:/10.65.25.98:2182 - R:/10.65.25.98:45380] 2019-12-17 01:43:33,003 ERROR org.apache.zookeeper.server.NettyServerCnxnFactory: Unsuccessful handshake with session 0x0 2019-12-17 01:43:33,003 WARN org.apache.zookeeper.server.NettyServerCnxnFactory: Exception caught io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0000002d000000000000000000000000000075300000000000000000000000100000000000000000000000000000000000 at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:475) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1422) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:931) at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792) at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:483) at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:383) at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1044) at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.lang.Thread.run(Thread.java:748) I will update the Jira too. Andor > On 2019. Nov 8., at 20:31, Jörn Franke <jornfra...@gmail.com> wrote: > > Thanks. Can you please share the configuration file? > > I tried with 3.5.5 - without SSL Kerberos works, but once I configured client > ssl it said authentication fail (I have to check if I can dig up the log > files) and as far as I remember this was related to x509 authentication. The > certificate and truststore themselves are fine (I think I needed to convert > the truststore to jks). > Sorry it was some time ago, I should have separated the log files. > For me it did not matter that the ports are separated, but it worked on the > non-ssl port fine. > >> Am 06.11.2019 um 23:08 schrieb Enrico Olivelli <eolive...@gmail.com>: >> >> Jorn, >> IIRC in my company we set up some ZK with TLS and SASL, using TLS for >> encryption and SASL for auth. >> We were using early 3.5.3 or something like that. >> >> Do you have a specific error? >> >> I can also add that in 3.6.0 we will have port-unification, this way you >> can configure only one client port and accept plain text and TLS connection >> from clients (this helps the ttransition to TLS) >> >> Enrico >> >> Il mer 6 nov 2019, 22:28 Jörn Franke <jornfra...@gmail.com> ha scritto: >> >>> Dear all, >>> >>> it seems that ZooKeeper 3.5 with SSL enabled does not support Kerberos >>> authentication, but only X509 authentication. Kerberos is used in many >>> Enterprise environments and is supported by Apache Solr. Is this a bug? Or >>> am I missing something? >>> >>> >>> I created a Jira for this: >>> https://issues.apache.org/jira/browse/ZOOKEEPER-3482 >>> >>> >>> thank you. >>> >>> best regards >>>