Alexey Serbin created KUDU-3297:
-----------------------------------
Summary: KRPC connection negotiation fails with RedHat/CentOS
cyrus-sasl-gssapi-2.1.27-5 for secure clusters
Key: KUDU-3297
URL: https://issues.apache.org/jira/browse/KUDU-3297
Project: Kudu
Issue Type: Bug
Components: client, master, rpc, tserver
Affects Versions: 1.14.0, 1.13.0, 1.11.1, 1.12.0, 1.11.0, 1.10.1, 1.10.0,
1.9.0, 1.7.1, 1.8.0, 1.7.0, 1.6.0, 1.5.0, 1.4.0, 1.3.1, 1.3.0, 1.15.0
Reporter: Alexey Serbin
With the recent CentOS/RedHat 8 update on the {{cyrus-sasl-gssapi}} package,
Kudu servers and C++ clients can no longer negotiate connections when GSSAPI is
involved (that's so for secure clusters where Kerberos-based authentication is
a must). In other words, when the {{cyrus-sasl-gssapi}} package is upgraded up
to {{2.1.27-5}} version, secure Kudu clusters are no longer functional.
The issue manifests itself by failed RPC connection negotiation with the
following error logged along with the full connection negotiation trace:
{noformat}
Runtime error: SASL(-15): mechanism too weak for this user: Unable to find a
callback: 32775"
{noformat}
The breaking change is in the following pull request for cyrus-sasl which has
been pulled into the {{cyrus-sasl-gssapi-2.1.27-5}} package:
https://github.com/cyrusimap/cyrus-sasl/pull/603 This patch is named as
{{cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch}} in
the SRPM for the {{cyrus-sasl}} package.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
