[jira] [Commented] (ZOOKEEPER-1045) Quorum Peer mutual authentication

[Rakesh R (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15301471#comment-15301471
 ] 

Rakesh R commented on ZOOKEEPER-1045:
-------------------------------------

*Case-3)* Zab1_0Test test time out:

To support upgrade flow, NullQuorumAuthServer uses 
{{QuorumAuth.nextPacketIsAuth(din);}} logic to know whether received packet is 
auth or not. If yes then reply back QuorumAuth.Status.ERROR to the connecting 
quorum client.

For example, assume we have three servers peer0, peer1, peer2. Auth is disabled 
initially. During upgrade, admin will enable auth in peer0. Now, this server 
starts sending {{Authpacket}} to peer1 and peer2. With the above mentioned 
packet identification logic, peer1 detects an {{AuthPacket}} and reply ERROR to 
the peer0 client as these servers doesn't support auth. Please look at the unit 
test case {{QuorumAuthUpgradeTest#testRollingUpgrade()}} to understand more 
about the described use case.

But in Zab1_0Test tests, quorum peers doesn't have auth enabled. In that case, 
reading packet using {{QuorumAuth.nextPacketIsAuth(din);}} logic will wait and 
timed out by throwing IOException and continue to next step in FLE. On the 
other side Leader is getting timed out by not seeing any connecting followers 
and failing the test case.

{code}
java.lang.InterruptedException: Timeout while waiting for epoch from quorum
        at 
org.apache.zookeeper.server.quorum.Leader.getEpochToPropose(Leader.java:888)
        at org.apache.zookeeper.server.quorum.Leader.lead(Leader.java:387)
        at 
org.apache.zookeeper.server.quorum.Zab1_0Test$LeadThread.run(Zab1_0Test.java:96)
{code}


[~phunt], do you have suggestion to handle this case?

> Quorum Peer mutual authentication
> ---------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip, 
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, 
> ZOOKEEPER-1045-br-3-4.patch
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)