subject:"\[jira\] \[Commented\] \(ZOOKEEPER\-1534\) Zookeeper server do not send Sal authentication failure notification to the client"

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

2018-02-14 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16364753#comment-16364753
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
---

Github user eolivelli commented on a diff in the pull request:

https://github.com/apache/zookeeper/pull/457#discussion_r168302873
  
--- Diff: src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java ---
@@ -1101,8 +1102,16 @@ public void processPacket(ServerCnxn cnxn, 
ByteBuffer incomingBuffer) throws IOE
 } else {
 if (h.getType() == OpCode.sasl) {
 Record rsp = processSasl(incomingBuffer,cnxn);
-ReplyHeader rh = new ReplyHeader(h.getXid(), 0, 
KeeperException.Code.OK.intValue());
-cnxn.sendResponse(rh,rsp, "response"); // not sure about 
3rd arg..what is it?
+if (rsp == null) {
+ReplyHeader rh = new ReplyHeader(h.getXid(), 0, 
Code.AUTHFAILED.intValue());
+cnxn.sendResponse(rh, new 
SetSASLResponse(AUTHENTICATION_FAILED.getBytes()), "response"); // not sure 
about 3rd arg..what is it?
+LOG.warn("Closing client connection due to SASL 
authentication failure.");
--- End diff --

Can we log at least the ip address of the client?


> Zookeeper server do not send Sal authentication failure notification to the 
> client
> --
>
> Key: ZOOKEEPER-1534
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
> Project: ZooKeeper
>  Issue Type: Bug
>  Components: server
>Affects Versions: 3.4.3
> Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>Reporter: Tally Tsabary
>Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 4 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm: zk-sasl-md5
> 2012-08-10 11:00:46,741 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@939] - Client 
> failed to SASL authenticate: javax.security.sasl.SaslException: DIGEST-MD5: 
> digest response format violation. Mismatched response.
> 2012-08-10 11:00:46,742 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@945] - Closing 
> client connection

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

2018-02-14 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16364755#comment-16364755
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
---

Github user eolivelli commented on a diff in the pull request:

https://github.com/apache/zookeeper/pull/457#discussion_r168304302
  
--- Diff: src/java/test/org/apache/zookeeper/test/WatcherAuthTest.java ---
@@ -0,0 +1,84 @@
+package org.apache.zookeeper.test;
+
+import org.apache.zookeeper.WatchedEvent;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.client.ZKClientConfig;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.concurrent.LinkedBlockingQueue;
+
+import static org.apache.zookeeper.test.ClientBase.createTmpDir;
+
+public class WatcherAuthTest {
--- End diff --

I am sorry, I can't find in this test where ate we starting the server


> Zookeeper server do not send Sal authentication failure notification to the 
> client
> --
>
> Key: ZOOKEEPER-1534
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
> Project: ZooKeeper
>  Issue Type: Bug
>  Components: server
>Affects Versions: 3.4.3
> Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>Reporter: Tally Tsabary
>Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 4 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm: zk-sasl-md5
> 2012-08-10 11:00:46,741 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@939] - Client 
> failed to SASL authenticate: javax.security.sasl.SaslException: DIGEST-MD5: 
> digest response format violation. Mismatched response.
> 2012-08-10 11:00:46,742 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@945] - Closing 
> client connection due to SASL authentication failure.
> 2012-08-10 11:00:46,742 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1000] - Closed 
> socket

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

2018-02-14 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16364756#comment-16364756
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
---

Github user eolivelli commented on a diff in the pull request:

https://github.com/apache/zookeeper/pull/457#discussion_r168302735
  
--- Diff: 
src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java ---
@@ -310,6 +313,9 @@ public void respondToServer(byte[] serverToken, 
ClientCnxn cnxn) {
 // TODO: introspect about runtime environment (such as 
jaas.conf)
 saslState = SaslState.FAILED;
 throw new SaslException("Error in authenticating with a 
Zookeeper Quorum member: the quorum member's saslToken is null.");
+} else if (new String(saslToken).equals(AUTHENTICATION_FAILED)) {
--- End diff --

Not setting an explicit charset is a code smell, in this case we are using 
only chars so it won't be a gread deal, but it is better ti have clean code 


> Zookeeper server do not send Sal authentication failure notification to the 
> client
> --
>
> Key: ZOOKEEPER-1534
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
> Project: ZooKeeper
>  Issue Type: Bug
>  Components: server
>Affects Versions: 3.4.3
> Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>Reporter: Tally Tsabary
>Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 4 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm: zk-sasl-md5
> 2012-08-10 11:00:46,741 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@939] - Client 
> failed to SASL authenticate: javax.security.sasl.SaslException: DIGEST-MD5: 
> digest response format violation. Mismatched response.
> 2012-08-10 11:00:46,742 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@945] - Closing 
> client connection due to SASL authentication failure.
> 2012-08-10 11:00:46,742 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1000] - Closed 
> socket connection for client /127.0.0.1:50208 which had sessionid 
> 0x1390fd2ee630004
> 2012-08-10 11:00:46,743 [myid:] - ERROR 
>

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

2018-02-14 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16364754#comment-16364754
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
---

Github user eolivelli commented on a diff in the pull request:

https://github.com/apache/zookeeper/pull/457#discussion_r168303288
  
--- Diff: src/java/test/org/apache/zookeeper/test/WatcherAuthTest.java ---
@@ -0,0 +1,84 @@
+package org.apache.zookeeper.test;
+
+import org.apache.zookeeper.WatchedEvent;
+import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.client.ZKClientConfig;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.concurrent.LinkedBlockingQueue;
+
+import static org.apache.zookeeper.test.ClientBase.createTmpDir;
+
+public class WatcherAuthTest {
+
+protected static final Logger LOG = 
LoggerFactory.getLogger(WatcherTest.class);
+
+private class MyWatcher extends ClientBase.CountdownWatcher {
+LinkedBlockingQueue events =
+new LinkedBlockingQueue();
+
+@Override
+public void process(WatchedEvent event) {
+super.process(event);
+if (event.getState() == Event.KeeperState.AuthFailed) {
+try {
+events.put(event);
+} catch (InterruptedException e) {
+LOG.warn("ignoring interrupt during event.put");
+}
+}
+}
+}
+
+@Before
+public void setUp() throws Exception {
+// Reset to default value since some test cases set this to true.
+// Needed for JDK7 since unit test can run is random order
+System.setProperty(ZKClientConfig.DISABLE_AUTO_WATCH_RESET, 
"false");
+}
+
+// Note: This test only works with a real ZKServer, running with 
TestServer masks the bug
+@Ignore
+@Test
+public void testWatcherCanGetAuthFailedEvents() throws Exception {
+MyWatcher myWatcher = new MyWatcher();
+
System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+try {
+File tmpDir = createTmpDir();
+File saslConfFile = new File(tmpDir, "jaas.conf");
+FileWriter fwriter = new FileWriter(saslConfFile);
+
+fwriter.write("" +
+"Server {\n" +
+"  
org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+"  user_super=\"test\";\n" +
+"};\n" +
+"Client {\n" +
+"   
org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
+"   username=\"super\"\n" +
+"   password=\"test1\";\n" + // NOTE: wrong 
password ('test' != 'test1') : this is to test SASL authentication failure.
+"};" + "\n");
+fwriter.close();
+
System.setProperty("java.security.auth.login.config",saslConfFile.getAbsolutePath());
+}
+catch (IOException e) {
+// could not create tmp directory to hold JAAS conf file.
+}
+
+// Specify your ZK Server endpoints here
+ZooKeeper zk = new ZooKeeper("127.0.0.1:2281", 2, myWatcher);
--- End diff --

We should close this handle


> Zookeeper server do not send Sal authentication failure notification to the 
> client
> --
>
> Key: ZOOKEEPER-1534
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
> Project: ZooKeeper
>  Issue Type: Bug
>  Components: server
>Affects Versions: 3.4.3
> Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>Reporter: Tally Tsabary
>Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
>

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

2018-02-05 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16352617#comment-16352617
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1534:
---

GitHub user craz186 opened a pull request:

https://github.com/apache/zookeeper/pull/457

ZOOKEEPER-1534: ZookeeperServer now returns AuthFailed events for SASL cred 
failures

ZookeeperServer previously closed client connections instead of returning 
AuthFailed events for SASL authentication failures.
This PR changes the Zookeeper Server to return an AuthFailed event and then 
afterwards closes the connection. 
I am unsure of the standard for SetSaslResponses and would appreciate any 
feedback as to how to represent a failed Authentication through SetSaslResponse 
objects. Currently I am just returning a string.

Note: The unit test I've supplied will only work with a real ZKServer, it 
seems that the testing server hides this bug and I've been unable to reproduce 
with the Testing Server. 

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/craz186/zookeeper ZOOKEEPER-1534

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zookeeper/pull/457.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #457


commit add6963b8e62f3ccdaf80f1a02428544c3a105d8
Author: sean.gibbons 
Date:   2018-02-05T16:09:59Z

ZOOKEEPER-1534: ZookeeperServer now returns AuthFailed events instead of 
closing client connection when SASL authentication uses invalid credentials, 
added unit test to demonstrate




> Zookeeper server do not send Sal authentication failure notification to the 
> client
> --
>
> Key: ZOOKEEPER-1534
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
> Project: ZooKeeper
>  Issue Type: Bug
>  Components: server
>Affects Versions: 3.4.3
> Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>Reporter: Tally Tsabary
>Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 4 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm:

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

2018-01-26 Thread Sean Gibbons (JIRA)


[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16341308#comment-16341308
 ] 

Sean Gibbons commented on ZOOKEEPER-1534:
-

This is an issue affecting my use of Zookeeper. In my use case if a client 
supplies wrong credentials we only receive ConectionLoss events without 
receiving an AuthFailed event. This can lead to confusion in production 
environments where network outages can occur, often we have to request that 
Environments view the passwords on each server to ensure that they are all 
correct since we receive the same event (ConnectionLoss) for incorrect SASL 
credentials and when the network is down. 
I have a patch for this I am preparing but may need some advice on how to 
format a standardized AuthFailed SetSASLResponse.

> Zookeeper server do not send Sal authentication failure notification to the 
> client
> --
>
> Key: ZOOKEEPER-1534
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1534
> Project: ZooKeeper
>  Issue Type: Bug
>  Components: server
>Affects Versions: 3.4.3
> Environment: Windows 7. Zookeeper 3.4.3 Curator 1.1.15  Java 1.6
>Reporter: Tally Tsabary
>Priority: Major
>
> Server side: zookeeper 3.4.3 with patch ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Client side: java, Curator 1.1.15, zookeeper 3.4.3 with patch 
> ZOOKEEPER-1437.patch 22/Jun/12 00:24
> Environment configured to use Sasl authentication.
> While the authenticatiion is successful, everything works fine.
> In case of authentication failue, it seems that the zk server catch the 
> SaslException and close the socket without sending any additional 
> notification to the client, so despite the client has an implementation to 
> handle Sasl authentication failure, it is never used…
>  
> Details:
> =
>  
>  
> zk server log:
> {noformat}
> 2012-08-10 11:00:46,730 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@213] - 
> Accepted socket connection from /127.0.0.1:50208
> 2012-08-10 11:00:46,731 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@780] - Session 
> establishment request from client /127.0.0.1:50208 client's lastZxid is 0x0
> 2012-08-10 11:00:46,731 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@838] - Client 
> attempting to establish new session at /127.0.0.1:50208
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@88] - Processing request:: 
> sessionid:0x1390fd2ee630004 type:createSession cxid:0x0 zxid:0x26b 
> txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,733 [myid:] - DEBUG 
> [SyncThread:0:FinalRequestProcessor@160] - sessionid:0x1390fd2ee630004 
> type:createSession cxid:0x0 zxid:0x26b txntype:-10 reqpath:n/a
> 2012-08-10 11:00:46,734 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@604] - 
> Established session 0x1390fd2ee630004 with negotiated timeout 4 for 
> client /127.0.0.1:50208
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 0
> 2012-08-10 11:00:46,736 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@954] - Size of 
> server SASL response: 101
> 2012-08-10 11:00:46,740 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@919] - Responding 
> to client SASL token.
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@923] - Size of 
> client SASL token: 272
> 2012-08-10 11:00:46,741 [myid:] - DEBUG 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@106] - 
> client supplied realm: zk-sasl-md5
> 2012-08-10 11:00:46,741 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@939] - Client 
> failed to SASL authenticate: javax.security.sasl.SaslException: DIGEST-MD5: 
> digest response format violation. Mismatched response.
> 2012-08-10 11:00:46,742 [myid:] - WARN  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@945] - Closing 
> client connection due to SASL authentication failure.
> 2012-08-10 11:00:46,742 [myid:] - INFO  
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1000] - Closed 
> socket connection for client /127.0.0.1:50208 which had sessionid 
> 0x1390fd2ee630004
> 2012-08-10 11:00:46,743 [myid:] - ERROR 
> [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@180] - Unexpected 
> Exception: 
> java.nio.channels.CancelledKeyException
>at 
> sun.nio.ch.SelectionKeyImpl.ensureValid(SelectionKeyImpl.java:55)
>at 
>

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

[jira] [Commented] (ZOOKEEPER-1534) Zookeeper server do not send Sal authentication failure notification to the client

6 matches

Site Navigation

Mail list logo

Footer information