Hi Sebastian,
thanks for the more details!
One thing I found in your config is that you should use:
quorum.auth.learner.saslLoginContext=QuorumLearner
quorum.auth.server.saslLoginContext=QuorumServer
so instead of loginContext, use saslLoginContext in both lines. I found
this in the source code, I think the wiki is wrong (I will fix it later).
However, actually this didn't really change anything, as the default values
are anyway
QuorumLearner and QuorumServer, so you can even skip these lines from the
config.
I think Rakesh is right, you are seeing exceptions related to not the
QuorumSasl, but the ClientSasl. This is why ZooKeeper tries to find the
'Server' section (what is configuring the server during the client-server
authentication). The name of this section can be overwritten by the
"zookeeper.sasl.serverconfig" system property.
Based on the exception, ZooKeeper can not find the 'Server' section in
the /opt/zookeeper-cluster/zookeeper/conf/jaas.conf file. Are you sure this
is the correct jaas.conf? Does the ZooKeeper process have the permissions
to open this file? You can specify the jaas config file path for ZooKeeper
by providing custom system property e.g. by exporting
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/path/to/jaas.conf"
before starting zkServer.sh
Also in the jaas.conf you copied here, you are missing a semicolon from the
end of the last line in the Server block. I am not sure if it is causing
any parsing error, but I always add the semicolon to the end of the last
line in the block.
Mate
On Tue, Feb 11, 2020 at 7:53 PM Sebastian Schmitz <
sebastian.schm...@propellerhead.co.nz> wrote:
> Hello Rakesh,
>
> as mentioned in the other mail adding the "Server"to jaas.conf didn't help.
>
> Here are the Configs and Logs (with the Server-part included):
>
> jaas.conf:
> QuorumServer {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_zookeeper="test";
> };
>
> QuorumClient {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="zookeeper"
> password="test";
> };
>
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_zookeeper="test"
> };
>
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="zookeeper"
> password="test";
> };
>
> zoo.cfg:
> # The number of milliseconds of each tick
> tickTime=2000
> # The number of ticks that the initial
> # synchronization phase can take
> initLimit=10
> # The number of ticks that can pass between
> # sending a request and getting an acknowledgement
> syncLimit=5
> # the directory where the snapshot is stored.
> # do not use /tmp for storage, /tmp here is just
> # example sakes.
> dataDir=/mnt/zk_data
> # the port at which the clients will connect
> clientPort=2181
> # the maximum number of client connections.
> # increase this if you need to handle more clients
> #maxClientCnxns=60
> #
> # Be sure to read the maintenance section of the
> # administrator guide before turning on autopurge.
> #
> #
> http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance
> #
> # The number of snapshots to retain in dataDir
> #autopurge.snapRetainCount=3
> # Purge task interval in hours
> # Set to "0" to disable auto purge feature
> #autopurge.purgeInterval=1
> dataLogDir=/mnt/zk_data_log
> autopurge.snapRetainCount=3
> autopurge.purgeInterval=24
> quorum.auth.enableSasl=true
> quorum.auth.learnerRequireSasl=false
> quorum.auth.serverRequireSasl=false
> quorum.auth.learner.loginContext=QuorumLearner
> quorum.auth.server.loginContext=QuorumServer
> quorum.cnxn.threads.size=20
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> secureClientPort=2281
> server.1=0.0.0.0:2888:3888
> server.2=kafkad02.x.azure.com:2888:3888
> server.3=kafkad03.x.azure.com:2888:3888
>
> Server-Log:
> Using config: /opt/zookeeper-cluster/zookeeper/bin/../conf/zoo.cfg
> Feb 11, 2020 18:43:53 +0000 [1 1] com.newrelic INFO: New Relic Agent:
> Loading configuration file "/opt/zookeeper-cluster/newrelic/./newrelic.yml"
> Feb 11, 2020 18:43:53 +0000 [1 1] com.newrelic INFO: Using default
> collector host: collector.newrelic.com
> Feb 11, 2020 18:43:53 +0000 [1 1] com.newrelic INFO: New Relic Agent:
> Writing to log file:
> /opt/zookeeper-cluster/newrelic/logs/newrelic_agent.log
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> com.newrelic.weave.weavepackage.NewClassAppender
> (file:/opt/zookeeper-cluster/newrelic/newrelic.jar) to method
> java.net.URLClassLoader.addURL(java.net.URL)
> WARNING: Please consider reporting this to the maintainers of
> com.newrelic.weave.weavepackage.NewClassAppender
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> 2020-02-11 18:43:59,257 [myid:] - INFO [main:QuorumPeerConfig@136] -
> Reading configuration from:
> /opt/zookeeper-cluster/zookeeper/bin/../conf/zoo.cfg
> 2020-02-11 18:43:59,477 [myid:] - INFO
> [main:QuorumPeer$QuorumServer@185] - Resolved hostname:
> kafkad02.x.azure.com to address: kafkad02.x.azure.com/1.2.3.4
> 2020-02-11 18:43:59,477 [myid:] - INFO
> [main:QuorumPeer$QuorumServer@185] - Resolved hostname: 0.0.0.0 to
> address: /0.0.0.0
> 2020-02-11 18:43:59,666 [myid:] - INFO
> [main:QuorumPeer$QuorumServer@185] - Resolved hostname:
> kafkad03.x.azure.com to address: kafkad03.x.azure.com/1.2.3.5
> 2020-02-11 18:43:59,666 [myid:] - INFO [main:QuorumPeerConfig@398] -
> Defaulting to majority quorums
> 2020-02-11 18:43:59,677 [myid:1] - INFO [main:DatadirCleanupManager@78]
> - autopurge.snapRetainCount set to 3
> 2020-02-11 18:43:59,677 [myid:1] - INFO [main:DatadirCleanupManager@79]
> - autopurge.purgeInterval set to 24
> 2020-02-11 18:43:59,732 [myid:1] - INFO
> [PurgeTask:DatadirCleanupManager$PurgeTask@138] - Purge task started.
> 2020-02-11 18:43:59,749 [myid:1] - INFO [main:QuorumPeerMain@130] -
> Starting quorum peer
> 2020-02-11 18:43:59,788 [myid:1] - INFO [main:ServerCnxnFactory@117] -
> Using org.apache.zookeeper.server.NIOServerCnxnFactory as server
> connection factory
> 2020-02-11 18:43:59,804 [myid:1] - INFO
> [PurgeTask:DatadirCleanupManager$PurgeTask@144] - Purge task completed.
> '.20-02-11 18:43:59,826 [myid:1] - ERROR [main:ServerCnxnFactory@210] -
> No JAAS configuration section named 'Server' was foundin
> '/opt/zookeeper-cluster/zookeeper/conf/jaas.conf
> 2020-02-11 18:43:59,827 [myid:1] - ERROR [main:QuorumPeerMain@92] -
> Unexpected exception, exiting abnormally
> java.io.IOException: No JAAS configuration section named 'Server' was
> foundin '/opt/zookeeper-cluster/zookeeper/conf/jaas.conf
> '.
> at
>
> org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:211)
> at
>
> org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:82)
> at
>
> org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:133)
> at
>
> org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:114)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:81)
>
>
>
> Best regards
>
> Sebastian
>
>
> On 12-Feb-20 2:36 AM, Rakesh Radhakrishnan wrote:
> > >>>>>java.io.IOException: No JAAS configuration section named 'Server'
> >
> > I could see you have enabled client-server authentication as well. It
> > looks to me that the error is coming from that. Please share the
> > complete error logs to trace it.
> > Have you configured "*Server*" section along with the "*QuorumServer*"
> > and "*QuorumClient*" sections? If not, please configure "*Server*"
> > section along with others and try it out.
> >
> > Reference:
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > image.png
> >
> > Thanks,
> > Rakesh
> >
> > On Tue, Feb 11, 2020 at 7:26 AM Sebastian Schmitz
> > <sebastian.schm...@propellerhead.co.nz
> > <mailto:sebastian.schm...@propellerhead.co.nz>> wrote:
> >
> > Hello,
> >
> > I'm currently looking into enabling the Auth between
> > Zookeeper-Servers
> > and found this documentation:
> >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
> >
> > However, when I use the config from the document (for Digest-MD5)
> > I get
> > this exception in Zookeeper 3.4.14 and also 3.5.6, which I tried
> > because
> > I thought using latest version could help:
> > java.io.IOException: No JAAS configuration section named 'Server' was
> > found in '/opt/zookeeper-cluster/zookeeper/conf/jaas.conf
> >
> > And of course that's right, because there's only QuorumServer and
> > QuorumClient in the jaas.conf:
> >
> > jaas.conf:
> > QuorumServer {
> > org.apache.zookeeper.server.auth.DigestLoginModule required
> > user_zookeeper="test";
> > };
> >
> > QuorumClient {
> > org.apache.zookeeper.server.auth.DigestLoginModule required
> > username="zookeeper"
> > password="test";
> > };
> >
> > I also tried renaming the QuorumServer to just "Server". No change.
> >
> > My zoo.cfg:
> > tickTime=2000
> > initLimit=10
> > syncLimit=5
> > dataDir=/mnt/zk_data
> > clientPort=2181
> > dataLogDir=/mnt/zk_data_log
> > autopurge.snapRetainCount=3
> > autopurge.purgeInterval=24
> > quorum.auth.enableSasl=true
> > quorum.auth.learnerRequireSasl=false
> > quorum.auth.serverRequireSasl=false
> > quorum.auth.learner.loginContext=QuorumLearner
> > quorum.auth.server.loginContext=QuorumServer
> > quorum.cnxn.threads.size=20
> >
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> > secureClientPort=2281
> > server.1=0.0.0.0:2888:3888
> >
> > Any idea what I could try? Or maybe there's some better document
> > on how
> > to achieve this?
> >
> > Thank you
> >
> > Sebastian
> >
> >
> > --
> > DISCLAIMER
> > This email contains information that is confidential and which
> > may be
> > legally privileged. If you have received this email in error please
> >
> > notify the sender immediately and delete the email.
> > This email is intended
> > solely for the use of the intended recipient and you may not use or
> > disclose this email in any way.
> >
>
> --
> DISCLAIMER
> This email contains information that is confidential and which
> may be
> legally privileged. If you have received this email in error please
>
> notify the sender immediately and delete the email.
> This email is intended
> solely for the use of the intended recipient and you may not use or
> disclose this email in any way.
>
