[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

Wed, 14 Feb 2018 12:48:06 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364753#comment-16364753
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
-------------------------------------------

Github user eolivelli commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/457#discussion_r168302873
  
    --- Diff: src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java ---
    @@ -1101,8 +1102,16 @@ public void processPacket(ServerCnxn cnxn, 
ByteBuffer incomingBuffer) throws IOE
             } else {
                 if (h.getType() == OpCode.sasl) {
                     Record rsp = processSasl(incomingBuffer,cnxn);
    -                ReplyHeader rh = new ReplyHeader(h.getXid(), 0, 
KeeperException.Code.OK.intValue());
    -                cnxn.sendResponse(rh,rsp, "response"); // not sure about 
3rd arg..what is it?
    +                if (rsp == null) {
    +                    ReplyHeader rh = new ReplyHeader(h.getXid(), 0, 
Code.AUTHFAILED.intValue());
    +                    cnxn.sendResponse(rh, new 
SetSASLResponse(AUTHENTICATION_FAILED.getBytes()), "response"); // not sure 
about 3rd arg..what is it?
    +                    LOG.warn("Closing client connection due to SASL 
authentication failure.");
    --- End diff --
    
    Can we log at least the ip address of the client?


> Zookeeper server do not send Sal authentication failure notification to the 
> client
> ----------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1534
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.4.3
>         Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>            Reporter: Tally Tsabary
>            Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =========
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 40000 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm: zk-sasl-md5
> 2012-08-10 11:00:46,741 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@939] - Client 
> failed to SASL authenticate: javax.security.sasl.SaslException: DIGEST-MD5: 
> digest response format violation. Mismatched response.
> 2012-08-10 11:00:46,742 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@945] - Closing 
> client connection due to SASL authentication failure.
> 2012-08-10 11:00:46,742 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1000] - Closed 
> socket connection for client /127.0.0.1:50208 which had sessionid 
> 0x1390fd2ee630004
> 2012-08-10 11:00:46,743 [myid:] - ERROR 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@180] - Unexpected 
> Exception: 
> java.nio.channels.CancelledKeyException
>                at 
> sun.nio.ch.SelectionKeyImpl.ensureValid(SelectionKeyImpl.java:55)
>                at 
> sun.nio.ch.SelectionKeyImpl.interestOps(SelectionKeyImpl.java:59)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.sendBuffer(NIOServerCnxn.java:153)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.sendResponse(NIOServerCnxn.java:1075)
>                at 
> org.apache.zookeeper.server.ZooKeeperServer.processPacket(ZooKeeperServer.java:906)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.readRequest(NIOServerCnxn.java:365)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.readPayload(NIOServerCnxn.java:202)
>                at 
> org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:236)
>                at 
> org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:224)
>                at java.lang.Thread.run(Thread.java:662)
>  {noformat}
>  
> At the corresponding source: org.apache.zookeeper.server.ZooKeeperServer
>  
> {noformat}
> private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws 
> IOException {
>         LOG.debug("Responding to client SASL token.");
>         GetSASLRequest clientTokenRecord = new GetSASLRequest();
>         
> ByteBufferInputStream.byteBuffer2Record(incomingBuffer,clientTokenRecord);
>         byte[] clientToken = clientTokenRecord.getToken();
>         LOG.debug("Size of client SASL token: " + clientToken.length);
>         byte[] responseToken = null;
>         try {
>             ZooKeeperSaslServer saslServer  = cnxn.zooKeeperSaslServer;
>             try {
>                 // note that clientToken might be empty (clientToken.length 
> == 0):
>                 // if using the DIGEST-MD5 mechanism, clientToken will be 
> empty at the beginning of the
>                 // SASL negotiation process.
>                 responseToken = saslServer.evaluateResponse(clientToken);
>                 if (saslServer.isComplete() == true) {
>                     String authorizationID = saslServer.getAuthorizationID();
>                     LOG.info("adding SASL authorization for authorizationID: 
> " + authorizationID);
>                     cnxn.addAuthInfo(new Id("sasl",authorizationID));
>                 }
>             }
>             catch (SaslException e) {
>                 LOG.warn("Client failed to SASL authenticate: " + e);
>                 if ((System.getProperty("zookeeper.allowSaslFailedClients") 
> != null)
>                   &&
>                   
> (System.getProperty("zookeeper.allowSaslFailedClients").equals("true"))) {
>                     LOG.warn("Maintaining client connection despite SASL 
> authentication failure.");
>                 } else {
>                     LOG.warn("Closing client connection due to SASL 
> authentication failure.");
>                     cnxn.close();   Tally: at this stage the socket is closed 
> without sending any notification to the client
>                 }
>             }
>         }
>         catch (NullPointerException e) {
>             LOG.error("cnxn.saslServer is null: cnxn object did not 
> initialize its saslServer properly.");
>         }
>         if (responseToken != null) {
>             LOG.debug("Size of server SASL response: " + 
> responseToken.length);
>         }
>         // wrap SASL response token to client inside a Response object.
>         return new SetSASLResponse(responseToken);
>     }
> {noformat}
>  
>  
> The client log shows that the client identified the socket closer and just 
> retry to connect as if the zk server just went down..
> {noformat}
> [10-Aug-2012 11:00:44.558 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Opening socket connection to 
> server 127.0.0.1/127.0.0.1:2181
> [10-Aug-2012 11:00:44.559 IST] INFO 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> Found Login Context section 
> 'Client': will use it to attempt to SASL-authenticate.
> [10-Aug-2012 11:00:44.560 IST] INFO 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> Client will use DIGEST-MD5 
> as SASL mechanism.
> [10-Aug-2012 11:00:44.561 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Socket connection established to 
> 127.0.0.1/127.0.0.1:2181, initiating session
> [10-Aug-2012 11:00:44.563 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxn$SendThread> Session establishment request 
> sent on 127.0.0.1/127.0.0.1:2181
> [10-Aug-2012 11:00:44.564 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.566 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.568 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Session establishment complete 
> on server 127.0.0.1/127.0.0.1:2181, sessionid = 0x1390fd2ee630003, negotiated 
> timeout = 40000
> [10-Aug-2012 11:00:44.569 IST] INFO 
> <com.netflix.curator.framework.state.ConnectionStateManager> State change: 
> RECONNECTED
> [10-Aug-2012 11:00:44.569 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.572 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.574 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.576 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.578 IST] DEBUG 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> 
> ClientCnxn:sendSaslPacket:length=0
> [10-Aug-2012 11:00:44.579 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.581 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.583 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.585 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.587 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.589 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.591 IST] DEBUG 
> <org.apache.zookeeper.client.ZooKeeperSaslClient$2> 
> saslClient.evaluateChallenge(len=101)
> [10-Aug-2012 11:00:44.592 IST] DEBUG 
> <org.apache.zookeeper.client.ZooKeeperSaslClient> 
> ClientCnxn:sendSaslPacket:length=272
> [10-Aug-2012 11:00:44.593 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:null serverPath:null finished:false header:: 0,3  replyHeader:: 
> 0,0,0  request:: '/dev,F  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.596 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.598 IST] DEBUG 
> <org.apache.zookeeper.ClientCnxnSocketNIO> deferring non-priming packet: 
> clientPath:/ serverPath:/ finished:false header:: 0,9  replyHeader:: 0,0,0  
> request:: '/  response::  until SASL authentication completes.
> [10-Aug-2012 11:00:44.600 IST] INFO 
> <org.apache.zookeeper.ClientCnxn$SendThread> Unable to read additional data 
> from server sessionid 0x1390fd2ee630003, likely server has closed socket, 
> closing socket connection and attempting reconnect
> [10-Aug-2012 11:00:44.701 IST] ERROR 
> <com.netflix.curator.framework.imps.CuratorFrameworkImpl> Background 
> operation retry gave up
> org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode 
> = ConnectionLoss
>                at 
> org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
>                at 
> com.netflix.curator.framework.imps.CuratorFrameworkImpl.processBackgroundOperation(CuratorFrameworkImpl.java:438)
>                at 
> com.netflix.curator.framework.imps.BackgroundSyncImpl$1.processResult(BackgroundSyncImpl.java:49)
>                at 
> org.apache.zookeeper.ClientCnxn$EventThread.processEvent(ClientCnxn.java:606)
>                at 
> org.apache.zookeeper.ClientCnxn$EventThread.run(ClientCnxn.java:495)
> [10-Aug-2012 11:00:44.706 IST] INFO 
> <com.netflix.curator.framework.state.ConnectionStateManager> State change: 
> LOST
> [10-Aug-2012 11:00:44.708 IST] WARN 
> <com.netflix.curator.framework.state.ConnectionStateManager> 
> ConnectionStateManager queue full - dropping events to make room
> [10-Aug-2012 11:00:44.710 IST] INFO 
> <com.netflix.curator.framework.state.ConnectionStateManager> State change: 
> SUSPENDED
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to