[jira] [Commented] (ZOOKEEPER-2323) ZooKeeper client enters into infinite AuthFailedException cycle if its unable to recreate Kerberos ticket

Thu, 19 Nov 2015 05:52:59 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15013566#comment-15013566
 ] 

Bob commented on ZOOKEEPER-2323:
--------------------------------

Hi, [~arshad.mohammad]
     I just test with your patch , found that it can not fixed auth failed 
issue in below scenarios:
set TGT expire in 2 mins, session expire in 3 mins
1. Start zk client to connect kerberos zk cluster, and some operations can be 
done successfully
2. Disconnect the Client's network
3. TGT expired 
4. session expried
If, Between 3 and 4 step, we recovery network. 
But we will got exception :
{code}
java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS 
initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Failed to find any Kerberos tgt)]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at 
org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:394)
at 
org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:379)
at 
org.apache.zookeeper.client.ZooKeeperSaslClient.sendSaslPacket(ZooKeeperSaslClient.java:451)
at 
org.apache.zookeeper.client.ZooKeeperSaslClient.initialize(ZooKeeperSaslClient.java:489)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1243)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at 
org.apache.zookeeper.client.ZooKeeperSaslClient$2.run(ZooKeeperSaslClient.java:397)
at 
org.apache.zookeeper.client.ZooKeeperSaslClient$2.run(ZooKeeperSaslClient.java:
{code}
Above exception result in client got authfailed state:
{code}
2015-11-19-18:58:26  [ERROR]  main-SendThread(9.91.8.212:24002)  
org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:415)
  An error: (java.security.PrivilegedActionException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Failed to find any Kerberos 
tgt)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. 
Zookeeper Client will go to AUTH_FAILED state.
2015-11-19-18:58:26  [ERROR]  main-SendThread(9.91.8.212:24002)  
org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1245)  SASL 
authentication with Zookeeper Quorum member failed: 
javax.security.sasl.SaslException: An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Failed to find any Kerberos tgt)]) occurred when evaluating 
Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to 
AUTH_FAILED state.
{code}
Finally, even TGT are renewed in the next cycle loop. This Client would alway 
got authfailed for every operation forever.





> ZooKeeper client enters into infinite AuthFailedException cycle if its unable 
> to recreate Kerberos ticket
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2323
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2323
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client
>            Reporter: Arshad Mohammad
>            Assignee: Arshad Mohammad
>             Fix For: 3.5.2
>
>         Attachments: ZOOKEEPER-2323-01.patch
>
>
> ZooKeeper client enters into infinite AuthFailedException cycle. For every 
> operation its throws AuthFailedException
> Here is the create operation exception
> {code}
> org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = 
> AuthFailed for /continuousRunningZKClient
>       at org.apache.zookeeper.KeeperException.create(KeeperException.java:127)
>       at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
>       at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1753)
> {code}
> This can be reproduced easily with the following steps:
> # Reduce the ZooKeeper client principal max life for example set 2 min.  use 
> command {color:blue} modprinc -maxlife 2min zkcli  {color} in kadmin. (This 
> is done to reduce the issue reproduce time)
> # Connect Client to ZooKeeper quorum,let it gets connected and some 
> operations are done successfully
> # Disconnect the Client's network, by pulling out the Ethernet cable or by 
> any way. Now the Client is in disconnected state, no operation is 
> expected,Client tries to reconnect to different-different servers in the 
> ZooKeeper quorum.
> # After two minutes Client tries to get new Keberos ticket and it fails.
> # Connect the Client to network. Client comes in connected state but 
> AuthFailedException for every operation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to