[
https://issues.apache.org/jira/browse/ZOOKEEPER-3824?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajkiran Sura updated ZOOKEEPER-3824:
-------------------------------------
Description:
With 'DynamicReconfig' feature in v3.5.6, ideally the servers can be added and
removed without restarting ZooKeeper service on any of the nodes.
But, with Keberos (GSSAPI via SASL) enabled quorum
authentication/authorization, this is not possible. Because, when you try to
add a new server, it won't be able to connect to any of the members in the
ensemble and the data won't be synced. This is because all the members reject
it based on authorization. For this to make it work, we need to do 'reconfig',
then restart leader, the new member and rest of the members.
Is this the expected behavior with Quorum-auth + DynamicReconfig? Or am I
missing something here.
This is our basic quorum-auth config:
{quote}quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.enableSasl=true
quorum.auth.learner.saslLoginContext=QuorumLearner
quorum.auth.learnerRequireSasl=true
quorum.cnxn.threads.size=20
quorum.auth.server.saslLoginContext=QuorumServer
{quote}
FTR: I raised this question in [ZooKeeper-user
forum|http://zookeeper-user.578899.n2.nabble.com/ZooKeeper-dynamic-reconfig-issue-when-Quorum-authn-authz-is-enabled-td7584927.html]
and both Mate and Enrico suspect this to be a bug.
Also this is easily reproducible in a Kerbers (GSSAPI via SASL) enabled quorum
based ensemble.
Regards,
Rajkiran
was:
With 'DynamicReconfig' feature in v3.5.6, ideally the servers can be added and
removed without restarting ZooKeeper service on any of the nodes.
But, with Keberos (GSSAPI via SASL) enabled quorum
authentication/authorization, this is not possible. Because, when you try to
add a new server, it won't be able to connect to any of the members in the
ensemble and the data won't be synced. This is because all the members reject
it based on authorization. For this to make it work, we need to do 'reconfig',
then restart leader, the new member and rest of the members.
Is this the expected behavior with Quorum-auth + DynamicReconfig? Or am I
missing something here.
This is our basic quorum-auth config:
{quote}quorum.auth.serverRequireSasl=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.enableSasl=true
quorum.auth.learner.saslLoginContext=QuorumLearner
quorum.auth.learnerRequireSasl=true
quorum.cnxn.threads.size=20
quorum.auth.server.saslLoginContext=QuorumServer
{quote}
FTR: I raised this question in [ZooKeeper-user
forum|[http://zookeeper-user.578899.n2.nabble.com/ZooKeeper-dynamic-reconfig-issue-when-Quorum-authn-authz-is-enabled-td7584927.html]]
and both Mate and Enrico suspect this to be a bug.
Also this is easily reproducible in a Kerbers (GSSAPI via SASL) enabled quorum
based ensemble.
Regards,
Rajkiran
> ZooKeeper dynamic reconfig doesn't work with GSSAPI/SASL enabled Quorum
> authn/z
> -------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3824
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3824
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, leaderElection, quorum, server
> Affects Versions: 3.5.6
> Environment: O.S. :- RHEL7
> Reporter: Rajkiran Sura
> Priority: Major
>
> With 'DynamicReconfig' feature in v3.5.6, ideally the servers can be added
> and removed without restarting ZooKeeper service on any of the nodes.
> But, with Keberos (GSSAPI via SASL) enabled quorum
> authentication/authorization, this is not possible. Because, when you try to
> add a new server, it won't be able to connect to any of the members in the
> ensemble and the data won't be synced. This is because all the members reject
> it based on authorization. For this to make it work, we need to do
> 'reconfig', then restart leader, the new member and rest of the members.
> Is this the expected behavior with Quorum-auth + DynamicReconfig? Or am I
> missing something here.
> This is our basic quorum-auth config:
> {quote}quorum.auth.serverRequireSasl=true
> quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
> quorum.auth.enableSasl=true
> quorum.auth.learner.saslLoginContext=QuorumLearner
> quorum.auth.learnerRequireSasl=true
> quorum.cnxn.threads.size=20
> quorum.auth.server.saslLoginContext=QuorumServer
> {quote}
> FTR: I raised this question in [ZooKeeper-user
> forum|http://zookeeper-user.578899.n2.nabble.com/ZooKeeper-dynamic-reconfig-issue-when-Quorum-authn-authz-is-enabled-td7584927.html]
> and both Mate and Enrico suspect this to be a bug.
> Also this is easily reproducible in a Kerbers (GSSAPI via SASL) enabled
> quorum based ensemble.
>
> Regards,
> Rajkiran
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
