[jira] [Updated] (KUDU-2267) Client may see negotiation failure when talks to master followers with only self signed cert

Thu, 18 Jan 2018 15:33:57 -0800 

     [ 
https://issues.apache.org/jira/browse/KUDU-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hao Hao updated KUDU-2267:
--------------------------
    Description: 
Currently, if a master has never been a leader from the very start of the 
cluster, it has just self-signed cert. And if a client does not have valid 
Kerberos credential but only authenticated token, then the client may see 
{{org.apache.kudu.client.NonRecoverableException: Server requires Kerberos, but 
this client is not authenticated}} error when trying to connect to master 
followers. Since in that case SASL authentication type is chosen instead of 
token for authentication.

It is safe to ignore this error, as long as client is able to connect to master 
leader. However, for a long term fix, masters should probably attempt to get a 
signed cert from the leader.

  was:Currently, if a master has never been a leader from the very start of the 
cluster, it has just self-signed cert. And if a client does not have valid 
Kerberos credential but only authenticated token, then the client may see 
{{org.apache.kudu.client.NonRecoverableException: Server requires Kerberos, but 
this client is not authenticated}} error when trying to connect to master 
followers. Since in that case SASL authentication type is chosen instead of 
token for authentication.


> Client may see negotiation failure when talks to master followers with only 
> self signed cert 
> ---------------------------------------------------------------------------------------------
>
>                 Key: KUDU-2267
>                 URL: https://issues.apache.org/jira/browse/KUDU-2267
>             Project: Kudu
>          Issue Type: Improvement
>          Components: client
>    Affects Versions: 1.6.0
>            Reporter: Hao Hao
>            Priority: Major
>
> Currently, if a master has never been a leader from the very start of the 
> cluster, it has just self-signed cert. And if a client does not have valid 
> Kerberos credential but only authenticated token, then the client may see 
> {{org.apache.kudu.client.NonRecoverableException: Server requires Kerberos, 
> but this client is not authenticated}} error when trying to connect to master 
> followers. Since in that case SASL authentication type is chosen instead of 
> token for authentication.
> It is safe to ignore this error, as long as client is able to connect to 
> master leader. However, for a long term fix, masters should probably attempt 
> to get a signed cert from the leader.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to