[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15365708#comment-15365708
]
Rakesh R commented on ZOOKEEPER-1045:
-------------------------------------
[~hanm] Awesome!, overall the test report looks good. I'm adding few minor
comments, please take a look at it.
- *Review Comment-1)* Please add the git revision number of the {{branch3-4}},
you have taken for testing, that will be helpful for future references. Can add
something like,
{code}
Branch-3-4 version:
Time:July 01, 2016, UTC+09:00.
Git Information:
Revision: 6b6a63bbbda920315d3d24b61ed3344a78a981b6
{code}
- *Review Comment-2)* Rolling upgrade should be supported and all existing
features should continue work unconditionally, with or without this feature
being enabled (full backward compatibility), before, in the middle, and after
rolling upgrade.
*Comment:* Please mention, from which version of 3.4.x used for rolling upgrade
testing. For example, rolling upgrade from {{3.4.6}} version to
{{3.4.9-SNAPSHOT}} version.
- *Review Comment-3)* Rolling upgrade verification:
*Comment:* In this section, it would be good to add few more extra details. We
can say, rolling upgrade should do in three steps and after every step admin
has to {{"Ensure that all the servers has completed this step. Only after that,
move on to next step"}}. I'm adding the below sample for your information,
please refer this and update accordingly.
{code}
Rolling upgrade should do in three steps:
step-1) Stop the servers one by one, then set the following flags in the server
'zoo.cfg' and restart it back.
quorum.auth.enableSasl=true, quorum.auth.learnerRequireSasl=false and
quorum.auth.serverRequireSasl=false. Ensure that all the servers has completed
this step. Now, move on to next step.
step-2) Stop the servers one by one, then set
'quorum.auth.learnerRequireSasl=true' flag in the server 'zoo.cfg' and restart
it back. Ensure that all the servers has completed this step. Now, move on to
next step.
step-3) Stop the servers one by one, then set
'quorum.auth.serverRequireSasl=true' flag in the server 'zoo.cfg' and restart
it back. Now, all the servers are fully upgraded and running in secured mode.
Verified everything works after restarting each server and every step.
{code}
- *Review Comment-4)* If time permits, please add two more test scenarios:
*Scenario-1)* I hope you are adding servers as LearnerType.Participant. Please
add one server as LearnerType.OBSERVER with sasl. For example, you can
configure in zoo.cfg as "server.1:localhost:2181:3181:observer"
*Scenario-2)* Add a fourth server to a quorum of server which is already
upgraded to sasl. Probably you can perform this together with the above
scenario by adding fourth server as Observer.
I think, I need to update the feature document describing the internals. I will
give priority to that and update this week or next.
> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Priority: Critical
> Fix For: 3.4.9, 3.5.3
>
> Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch,
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip,
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
