[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364754#comment-16364754
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
-------------------------------------------

Github user eolivelli commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/457#discussion_r168303288
  
    --- Diff: src/java/test/org/apache/zookeeper/test/WatcherAuthTest.java ---
    @@ -0,0 +1,84 @@
    +package org.apache.zookeeper.test;
    +
    +import org.apache.zookeeper.WatchedEvent;
    +import org.apache.zookeeper.ZooKeeper;
    +import org.apache.zookeeper.client.ZKClientConfig;
    +import org.junit.Assert;
    +import org.junit.Before;
    +import org.junit.Ignore;
    +import org.junit.Test;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import java.io.File;
    +import java.io.FileWriter;
    +import java.io.IOException;
    +import java.util.concurrent.LinkedBlockingQueue;
    +
    +import static org.apache.zookeeper.test.ClientBase.createTmpDir;
    +
    +public class WatcherAuthTest {
    +
    +    protected static final Logger LOG = 
LoggerFactory.getLogger(WatcherTest.class);
    +
    +    private class MyWatcher extends ClientBase.CountdownWatcher {
    +        LinkedBlockingQueue<WatchedEvent> events =
    +                new LinkedBlockingQueue<WatchedEvent>();
    +
    +        @Override
    +        public void process(WatchedEvent event) {
    +            super.process(event);
    +            if (event.getState() == Event.KeeperState.AuthFailed) {
    +                try {
    +                    events.put(event);
    +                } catch (InterruptedException e) {
    +                    LOG.warn("ignoring interrupt during event.put");
    +                }
    +            }
    +        }
    +    }
    +
    +    @Before
    +    public void setUp() throws Exception {
    +        // Reset to default value since some test cases set this to true.
    +        // Needed for JDK7 since unit test can run is random order
    +        System.setProperty(ZKClientConfig.DISABLE_AUTO_WATCH_RESET, 
"false");
    +    }
    +
    +    // Note: This test only works with a real ZKServer, running with 
TestServer masks the bug
    +    @Ignore
    +    @Test
    +    public void testWatcherCanGetAuthFailedEvents() throws Exception {
    +        MyWatcher myWatcher = new MyWatcher();
    +        
System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
    +        try {
    +            File tmpDir = createTmpDir();
    +            File saslConfFile = new File(tmpDir, "jaas.conf");
    +            FileWriter fwriter = new FileWriter(saslConfFile);
    +
    +            fwriter.write("" +
    +                    "Server {\n" +
    +                    "          
org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
    +                    "          user_super=\"test\";\n" +
    +                    "};\n" +
    +                    "Client {\n" +
    +                    "       
org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
    +                    "       username=\"super\"\n" +
    +                    "       password=\"test1\";\n" + // NOTE: wrong 
password ('test' != 'test1') : this is to test SASL authentication failure.
    +                    "};" + "\n");
    +            fwriter.close();
    +            
System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath());
    +        }
    +        catch (IOException e) {
    +            // could not create tmp directory to hold JAAS conf file.
    +        }
    +
    +        // Specify your ZK Server endpoints here
    +        ZooKeeper zk = new ZooKeeper("127.0.0.1:2281", 20000, myWatcher);
    --- End diff --
    
    We should close this handle


> Zookeeper server do not send Sal authentication failure notification to the 
> client
> ----------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1534
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.4.3
>         Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>            Reporter: Tally Tsabary
>            Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =========
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 40000 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm: zk-sasl-md5
> 2012-08-10 11:00:46,741 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@939] - Client 
> failed to SASL authenticate: javax.security.sasl.SaslException: DIGEST-MD5: 
> digest response format violation. Mismatched response.
> 2012-08-10 11:00:46,742 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@945] - Closing 
> client connection due to SASL authentication failure.
> 2012-08-10 11:00:46,742 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1000] - Closed 
> socket connection for client /127.0.0.1:50208 which had sessionid 
> 0x1390fd2ee630004
> 2012-08-10 11:00:46,743 [myid:] - ERROR 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@180] - Unexpected 
> Exception: 
> java.nio.channels.CancelledKeyException
>                at 
> sun.nio.ch.SelectionKeyImpl.ensureValid(SelectionKeyImpl.java:55)
>                at 
> sun.nio.ch.SelectionKeyImpl.interestOps(SelectionKeyImpl.java:59)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.sendBuffer(NIOServerCnxn.java:153)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.sendResponse(NIOServerCnxn.java:1075)
>                at 
> org.apache.zookeeper.server.ZooKeeperServer.processPacket(ZooKeeperServer.java:906)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.readRequest(NIOServerCnxn.java:365)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.readPayload(NIOServerCnxn.java:202)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:236)
>                at 
> org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:224)
>                at java.lang.Thread.run(Thread.java:662)
>  {noformat}
>  
> At the corresponding source: org.apache.zookeeper.server.ZooKeeperServer
>  
> {noformat}
> private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws 
> IOException {
>         LOG.debug("Responding to client SASL token.");
>         GetSASLRequest clientTokenRecord = new GetSASLRequest();
>         
> ByteBufferInputStream.byteBuffer2Record(incomingBuffer,clientTokenRecord);
>         byte[] clientToken = clientTokenRecord.getToken();
>         LOG.debug("Size of client SASL token: " + clientToken.length);
>         byte[] responseToken = null;
>         try {
>             ZooKeeperSaslServer saslServer  = cnxn.zooKeeperSaslServer;
>             try {
>                 // note that clientToken might be empty (clientToken.length 
> == 0):
>                 // if using the DIGEST-MD5 mechanism, clientToken will be 
> empty at the beginning of the
>                 // SASL negotiation process.
>                 responseToken = saslServer.evaluateResponse(clientToken);
>                 if (saslServer.isComplete() == true) {
>                     String authorizationID = saslServer.getAuthorizationID();
>                     LOG.info("adding SASL authorization for authorizationID: 
> " + authorizationID);
>                     cnxn.addAuthInfo(new Id("sasl",authorizationID));
>                 }
>             }
>             catch (SaslException e) {
>                 LOG.warn("Client failed to SASL authenticate: " + e);
>                 if ((System.getProperty("zookeeper.allowSaslFailedClients") 
> != null)
>                   &&
>                   
> (System.getProperty("zookeeper.allowSaslFailedClients").equals("true"))) {
>                     LOG.warn("Maintaining client connection despite SASL 
> authentication failure.");
>                 } else {
>                     LOG.warn("Closing client connection due to SASL 
> authentication failure.");
>                     cnxn.close();   Tally: at this stage the socket is closed 
> without sending any notification to the client
>                 }
>             }
>         }
>         catch (NullPointerException e) {
>             LOG.error("cnxn.saslServer is null: cnxn object did not 
> initialize its saslServer properly.");
>         }
>         if (responseToken != null) {
>             LOG.debug("Size of server SASL response: " + 
> responseToken.length);
>         }
>         // wrap SASL response token to client inside a Response object.
>         return new SetSASLResponse(responseToken);
>     }
> {noformat}
>  
>  
> The client log shows that the client identified the socket closer and just 
> retry to connect as if the zk server just went down..
> {noformat}
> [10-Aug-2012 11:00:44.558 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Opening socket connection to 
> server 127.0.0.1/127.0.0.1:2181
> [10-Aug-2012 11:00:44.559 IST] INFO 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> Found Login Context section 
> 'Client': will use it to attempt to SASL-authenticate.
> [10-Aug-2012 11:00:44.560 IST] INFO 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> Client will use DIGEST-MD5 
> as SASL mechanism.
> [10-Aug-2012 11:00:44.561 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Socket connection established to 
> 127.0.0.1/127.0.0.1:2181, initiating session
> [10-Aug-2012 11:00:44.563 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxn$SendThread> Session establishment request 
> sent on 127.0.0.1/127.0.0.1:2181
> [10-Aug-2012 11:00:44.564 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.566 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.568 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Session establishment complete 
> on server 127.0.0.1/127.0.0.1:2181, sessionid = 0x1390fd2ee630003, negotiated 
> timeout = 40000
> [10-Aug-2012 11:00:44.569 IST] INFO 
> <com.netflix.curator.framework.state.ConnectionStateManager> State change: 
> RECONNECTED
> [10-Aug-2012 11:00:44.569 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.572 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.574 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.576 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.578 IST] DEBUG 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> 
> ClientCnxn:sendSaslPacket:length=0
> [10-Aug-2012 11:00:44.579 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.581 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.583 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.585 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.587 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.589 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.591 IST] DEBUG 
> <org.apache.zookeeper.client.ZooKeeperSaslClient$2> 
> saslClient.evaluateChallenge(len=101)
> [10-Aug-2012 11:00:44.592 IST] DEBUG 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> 
> ClientCnxn:sendSaslPacket:length=272
> [10-Aug-2012 11:00:44.593 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.596 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.598 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.600 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Unable to read additional data 
> from server sessionid 0x1390fd2ee630003, likely server has closed socket, 
> closing socket connection and attempting reconnect
> [10-Aug-2012 11:00:44.701 IST] ERROR 
> <com.netflix.curator.framework.imps.CuratorFrameworkImpl> Background 
> operation retry gave up
> org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode 
> = ConnectionLoss
>                at 
> org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
>                at 
> com.netflix.curator.framework.imps.CuratorFrameworkImpl.processBackgroundOperation(CuratorFrameworkImpl.java:438)
>                at 
> com.netflix.curator.framework.imps.BackgroundSyncImpl$1.processResult(BackgroundSyncImpl.java:49)
>                at 
> org.apache.zookeeper.ClientCnxn$EventThread.processEvent(ClientCnxn.java:606)
>                at 
> org.apache.zookeeper.ClientCnxn$EventThread.run(ClientCnxn.java:495)
> [10-Aug-2012 11:00:44.706 IST] INFO 
> <com.netflix.curator.framework.state.ConnectionStateManager> State change: 
> LOST
> [10-Aug-2012 11:00:44.708 IST] WARN 
> <com.netflix.curator.framework.state.ConnectionStateManager> 
> ConnectionStateManager queue full - dropping events to make room
> [10-Aug-2012 11:00:44.710 IST] INFO 
> <com.netflix.curator.framework.state.ConnectionStateManager> State change: 
> SUSPENDED
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to