[
https://issues.apache.org/jira/browse/ZOOKEEPER-2323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011953#comment-15011953
]
Arshad Mohammad commented on ZOOKEEPER-2323:
--------------------------------------------
As per my analysis following is the sequence of events which cause the problem
# After two minutes from network disconnect, Client automatically switched to
DIGEST-MD5 authentication mechanism
Code reference in
{{org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslClient(String,
String)}}
{code}
if (subject.getPrincipals().isEmpty()) {
// no principals: must not be GSSAPI: use DIGEST-MD5 mechanism instead.
LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");
String[] mechs = {"DIGEST-MD5"};
String username = (String)(subject.getPublicCredentials().toArray()[0]);
String password = (String)(subject.getPrivateCredentials().toArray()[0]);
// "zk-sasl-md5" is a hard-wired 'domain' parameter shared with zookeeper
server code (see ServerCnxnFactory.java)
saslClient = Sasl.createSaslClient(mechs, username, "zookeeper",
"zk-sasl-md5", null, new ClientCallbackHandler(password));
return saslClient;
}
{code}
{{subject.getPrincipals().isEmpty()}} is true because Kerberos ticket is
already expired
# Code {{(String)(subject.getPublicCredentials().toArray()\[0\]);}} throws
{{java.lang.ArrayIndexOutOfBoundsException}} and finally null is returned
instead of {{SaslClient}} object
# Because SaslClient is null Client enters into {{States.AUTH_FAILED}} state
Code reference in {{org.apache.zookeeper.ClientCnxn.SendThread.run()}}
{code}
try {
zooKeeperSaslClient.initialize(ClientCnxn.this);
} catch (SaslException e) {
LOG.error("SASL authentication with Zooeeper Quorum member failed: " + e);
state = States.AUTH_FAILED;
sendAuthEvent = true;
}
{code}
{{zooKeeperSaslClient.initialize}} throws SaslException as SaslClient is null
> ZooKeeper client enters into infinite AuthFailedException cycle if its unable
> to recreate Kerberos ticket
> ---------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-2323
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2323
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Reporter: Arshad Mohammad
> Assignee: Arshad Mohammad
> Fix For: 3.5.2
>
>
> ZooKeeper client enters into infinite AuthFailedException cycle. For every
> operation its throws AuthFailedException
> Here is the create operation exception
> {code}
> org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode =
> AuthFailed for /continuousRunningZKClient
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:127)
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1753)
> {code}
> This can be reproduced easily with the following steps:
> # Reduce the ZooKeeper client principal max life for example set 2 min. use
> command {color:blue} modprinc -maxlife 2min zkcli {color} in kadmin. (This
> is done to reduce the issue reproduce time)
> # Connect Client to ZooKeeper quorum,let it gets connected and some
> operations are done successfully
> # Disconnect the Client's network, by pulling out the Ethernet cable or by
> any way. Now the Client is in disconnected state, no operation is
> expected,Client tries to reconnect to different-different servers in the
> ZooKeeper quorum.
> # After two minutes Client tries to get new Keberos ticket and it fails.
> # Connect the Client to network. Client comes in connected state but
> AuthFailedException for every operation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
