[
https://issues.apache.org/jira/browse/ZOOKEEPER-1437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144265#comment-15144265
]
Devendra Vishwakarma commented on ZOOKEEPER-1437:
-------------------------------------------------
Hi Eugene,
Yes the environment is kerberos-authenticated. When I try accessing the znode
/hbase-secure/replication/peers via zkcli, I get the authentication related
error saying 'Authentication is not valid : /hbase-secure/replication/peers'.
WATCHER::
WatchedEvent state:AuthFailed type:None path:null
2016-02-12 00:24:05,360 INFO [main-SendThread(dev.machine.com:2181)]
zookeeper.ClientCnxn: Socket connection established to
dev.machine.com/9.30.123.136:2181, initiating session
[zk: dev.machine.com:2181,dev2.machine.com:2181(CONNECTING) 0] 2016-02-12
00:24:05,393 INFO [main-SendThread(dev.machine.com:2181)]
zookeeper.ClientCnxn: Session establishment complete on server
dev.machine.com/9.30.123.136:2181, sessionid = 0x252cfff53750029, negotiated
timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: dev.machine.com:2181,dev2.machine.com:2181(CONNECTED) 0] ls
[zk: dev.machine.com:2181,dev2.machine.com:2181(CONNECTED) 1] ls /hbase-secure
[replication, meta-region-server, rs, splitWAL, backup-masters, table-lock,
flush-table-proc, region-in-transition, online-snapshot, acl, master, running,
recovering-regions, tokenauth, draining, namespace, hbaseid, table]
[zk: dev.machine.com:2181,dev2.machine.com:2181(CONNECTED) 2] ls
/hbase-secure/replication
Authentication is not valid : /hbase-secure/replication
[zk: dev.machine.com:2181,dev2.machine.com:2181(CONNECTED) 3] ls
/hbase-secure/replication/peers
Authentication is not valid : /hbase-secure/replication/peers
[zk: dev.machine.com:2181,dev2.machine.com:2181(CONNECTED) 4]
#####################################################################
One thing I noticed that when I get the ACLs for parent znode /hbase-secure, I
see the permissions for world:anyone, but for some of the child znode like
/hbase-secure/replication, I dont see any permission set for world:anyone ---
[zk: svlxbi0n.svl.ibm.com:2181,svlxbi04.svl.ibm.com:2181(CONNECTED) 5] getAcl
/hbase-secure
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
[zk: svlxbi0n.svl.ibm.com:2181,svlxbi04.svl.ibm.com:2181(CONNECTED) 6] getAcl
/hbase-secure/replication
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
[zk: svlxbi0n.svl.ibm.com:2181,svlxbi04.svl.ibm.com:2181(CONNECTED) 7] getAcl
/hbase-secure/replication/peers
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
[zk: svlxbi0n.svl.ibm.com:2181,svlxbi04.svl.ibm.com:2181(CONNECTED) 8]
> Client uses session before SASL authentication complete
> -------------------------------------------------------
>
> Key: ZOOKEEPER-1437
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1437
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Affects Versions: 3.4.3
> Reporter: Thomas Weise
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch,
> ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch,
> ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch,
> ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch,
> ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch,
> ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch, ZOOKEEPER-1437.patch,
> getXidCallHierarchy.png
>
>
> Found issue in the context of hbase region server startup, but can be
> reproduced w/ zkCli alone.
> getData may occur prior to SaslAuthenticated and fail with NoAuth. This is
> not expected behavior when the client is configured to use SASL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
