Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Thanks Mate. This is easily reproducible in Keberos (GSSAPI via SASL) enabled quorum based ensemble. So, I have raised https://issues.apache.org/jira/browse/ZOOKEEPER-3824. Regards, Rajkiran -- Sent from: http://zookeeper-user.578899.n2.nabble.com/
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Hi Rakiran, FYI: we are setting kerberos.removeHostFromPrincipal=true and kerberos.removeRealmFromPrincipal=true in our configs in production. Although I am not sure if they are also affecting quorum SASL too and not only client SASL. But also, we don't use dynamic reconfig in production yet. But I agree with Enrico, this smells like a bug. If the principals with the new hosts are properly configured in Kerberos, then the Quoum Authentication should work I think. Kind regards, Mate On Sat, May 9, 2020 at 7:24 AM rajsura wrote: > Hi Enrico, > > Thanks again for your reply. > > Yes, I have this problem in both production and test environments. > > For now, after reconfig, we are rolling restart the members. It would be > great if you can loop in some users of reconfig and quorum authn/authz. > > Regards, > Rajkiran > > > > -- > Sent from: http://zookeeper-user.578899.n2.nabble.com/ >
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
unsubscribe
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Hi Enrico, Thanks again for your reply. Yes, I have this problem in both production and test environments. For now, after reconfig, we are rolling restart the members. It would be great if you can loop in some users of reconfig and quorum authn/authz. Regards, Rajkiran -- Sent from: http://zookeeper-user.578899.n2.nabble.com/
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Il Ven 8 Mag 2020, 17:35 rajsura ha scritto: > Hello, > > With 'DynamicReconfig' feature in v3.5.7, ideally the servers can be added > and removed without restarting ZooKeeper service on any of the nodes. > > But, with Keberos based quorum authentication/authorization enabled via > '_HOST' principal check, this is not possible. Because, when you try to add > a new server, it won't be able to connect to any of the members in the node > and won't be synced. As all the members reject it based on authorization. > For it to work, you need to do 'reconfig', then restart leader, the new > member and rest of the members. > > Is this the expected behavior with DynamicReconfig? Or am I missing > something here. > Rajani It looks like a bug. Do you have this problem in production or in a test environment? I am not a user of reconfig, I hope that someone else on this list can give more help Enrico > > > -- > Sent from: http://zookeeper-user.578899.n2.nabble.com/ >
ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Hello, With 'DynamicReconfig' feature in v3.5.7, ideally the servers can be added and removed without restarting ZooKeeper service on any of the nodes. But, with Keberos based quorum authentication/authorization enabled via '_HOST' principal check, this is not possible. Because, when you try to add a new server, it won't be able to connect to any of the members in the node and won't be synced. As all the members reject it based on authorization. For it to work, you need to do 'reconfig', then restart leader, the new member and rest of the members. Is this the expected behavior with DynamicReconfig? Or am I missing something here. -- Sent from: http://zookeeper-user.578899.n2.nabble.com/