[jira] [Updated] (SOLR-5676) SolrCloud updates rejected if talking to secure ZooKeeper

Wed, 29 Jan 2014 15:28:46 -0800 

     [ 
https://issues.apache.org/jira/browse/SOLR-5676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gregory Chanan updated SOLR-5676:
---------------------------------

    Attachment: SOLR-5676.patch

Here's a patch that does the above, warning if the client receives AuthFailed.

> SolrCloud updates rejected if talking to secure ZooKeeper
> ---------------------------------------------------------
>
>                 Key: SOLR-5676
>                 URL: https://issues.apache.org/jira/browse/SOLR-5676
>             Project: Solr
>          Issue Type: Bug
>          Components: SolrCloud
>    Affects Versions: 5.0, 4.7, 4.6.1
>            Reporter: Gregory Chanan
>             Fix For: 5.0
>
>         Attachments: SOLR-5676.patch
>
>
> When using secure zookeeper and a valid jaas configuration, SolrCloud will 
> reject updates with a 503 error.
> The problem is that in this case ZooKeeper sends states to the watchers like 
> "SaslAuthenticated", but the ConnectionManager treats any state it doesn't 
> know about as a disconnect.  Then, whenever a request comes in, SolrCloud 
> will think it can't talk to ZooKeeper and reject the request.
> These are the valid states that watchers can see with the current ZooKeeper 
> version (3.4.5):
> Disconnected
> SyncConnected
> AuthFailed
> ConnectedReadOnly
> SaslAuthenticated
> Expired
> ConnectionManager currently does not handle:
> SaslAuthenticated
> ConnectedReadOnly
> AuthFailed
> From my tests, it seems like the correct thing to do is just ignore these 
> states:
> 1) SaslAuthenticated - nothing has gone wrong here, so no need to disconnected
> 2) ConnectedReadOnly - the client would only see this state if they 
> specifically specified a read only client, so this is expected
> 3) AuthFailed - this one is a little tricky.  If you try to authentication 
> but fail (say you have an invalid JAAS conf), you may get AuthFailed, but 
> depending on the ZK settings, you may still be able to communicate with 
> ZooKeeper (i.e. see this in the log: Will continue connection to Zookeeper 
> server \
> without SASL authentication, if Zookeeper server allows it.)
> So, it seems correct to ignore these states, possibly warning on AuthFailed, 
> because that isn't expected in proper operation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to