You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2015/12/15 19:04:46 UTC

[jira] [Commented] (ZOOKEEPER-2346) SASL Auth failure manifested to client as connection refusal

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058445#comment-15058445 ] 

Steve Loughran commented on ZOOKEEPER-2346:
-------------------------------------------

If the ZK service cannot authenticate the SASL connection  the client (here slider) will only see a connection refused message.

server logs

{code}
2015-12-15 14:35:08,265 - WARN  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@969] - Client failed to SASL authenticate: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))]
2015-12-15 14:35:08,266 - WARN  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@975] - Closing client connection due to SASL authentication failure.

+ a stack trace in nio, which sees the connection closed and is surprised by the unexpected state
{code}

The client sees a connection closure and reacts to it by trying to re-open the connection, until eventually it gives up
{code}
2015-12-15 15:07:46,066 [main-SendThread(devix.cotham.uk:2181)] WARN  zookeeper.ClientCnxn (run(1102)) - Session 0x0 for server null, unexpected error, closing socket connection and attempting reconnect
java.net.ConnectException: Connection refused
	at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
	at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:739)
	at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:361)
	at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1081)
2015-12-15 15:07:46,169 [main] ERROR curator.ConnectionState (checkTimeouts(200)) - Connection timed out for connection string (devix.cotham.uk:2181) and timeout (15000) / elapsed (31695)
org.apache.curator.CuratorConnectionLossException: KeeperErrorCode = ConnectionLoss
{code}

This means that what appears to be a connectivity problem, is actually an authentication problem —you need to look at the ZK server logs to identify the cause.

> SASL Auth failure manifested to client as connection refusal
> ------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2346
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2346
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.4.6
>            Reporter: Steve Loughran
>
> If a client can't authenticate via sasl then (a) the stack trace is lost on the server logs, and (b) it is exposed to the client as a connection refusal. This results in curator retrying many times before giving up —and with the cause being misinterpreted as a server-down problem, rather than a client-not-trusted problem



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)