You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by rajsura <ra...@gmail.com> on 2020/05/08 15:35:32 UTC
ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Hello,
With 'DynamicReconfig' feature in v3.5.7, ideally the servers can be added
and removed without restarting ZooKeeper service on any of the nodes.
But, with Keberos based quorum authentication/authorization enabled via
'_HOST' principal check, this is not possible. Because, when you try to add
a new server, it won't be able to connect to any of the members in the node
and won't be synced. As all the members reject it based on authorization.
For it to work, you need to do 'reconfig', then restart leader, the new
member and rest of the members.
Is this the expected behavior with DynamicReconfig? Or am I missing
something here.
--
Sent from: http://zookeeper-user.578899.n2.nabble.com/
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is
enabled
Posted by rajsura <ra...@gmail.com>.
Thanks Mate.
This is easily reproducible in Keberos (GSSAPI via SASL) enabled quorum
based ensemble. So, I have raised
https://issues.apache.org/jira/browse/ZOOKEEPER-3824.
Regards,
Rajkiran
--
Sent from: http://zookeeper-user.578899.n2.nabble.com/
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Posted by Szalay-Bekő Máté <sz...@gmail.com>.
Hi Rakiran,
FYI: we are setting kerberos.removeHostFromPrincipal=true
and kerberos.removeRealmFromPrincipal=true in our configs in production.
Although I am not sure if they are also affecting quorum SASL too and not
only client SASL.
But also, we don't use dynamic reconfig in production yet.
But I agree with Enrico, this smells like a bug. If the principals with the
new hosts are properly configured in Kerberos, then the
Quoum Authentication should work I think.
Kind regards,
Mate
On Sat, May 9, 2020 at 7:24 AM rajsura <ra...@gmail.com> wrote:
> Hi Enrico,
>
> Thanks again for your reply.
>
> Yes, I have this problem in both production and test environments.
>
> For now, after reconfig, we are rolling restart the members. It would be
> great if you can loop in some users of reconfig and quorum authn/authz.
>
> Regards,
> Rajkiran
>
>
>
> --
> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is
enabled
Posted by Bob Sheehan <bs...@vmware.com>.
unsubscribe
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is
enabled
Posted by rajsura <ra...@gmail.com>.
Hi Enrico,
Thanks again for your reply.
Yes, I have this problem in both production and test environments.
For now, after reconfig, we are rolling restart the members. It would be
great if you can loop in some users of reconfig and quorum authn/authz.
Regards,
Rajkiran
--
Sent from: http://zookeeper-user.578899.n2.nabble.com/
Re: ZooKeeper dynamic reconfig issue when Quorum authn/authz is enabled
Posted by Enrico Olivelli <eo...@gmail.com>.
Il Ven 8 Mag 2020, 17:35 rajsura <ra...@gmail.com> ha scritto:
> Hello,
>
> With 'DynamicReconfig' feature in v3.5.7, ideally the servers can be added
> and removed without restarting ZooKeeper service on any of the nodes.
>
> But, with Keberos based quorum authentication/authorization enabled via
> '_HOST' principal check, this is not possible. Because, when you try to add
> a new server, it won't be able to connect to any of the members in the node
> and won't be synced. As all the members reject it based on authorization.
> For it to work, you need to do 'reconfig', then restart leader, the new
> member and rest of the members.
>
> Is this the expected behavior with DynamicReconfig? Or am I missing
> something here.
>
Rajani
It looks like a bug.
Do you have this problem in production or in a test environment?
I am not a user of reconfig, I hope that someone else on this list can give
more help
Enrico
>
>
> --
> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>