Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-3297

KRPC connection negotiation fails with RedHat/CentOS cyrus-sasl-gssapi-2.1.27-5 for secure clusters

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.7.1, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.11.1, 1.13.0, 1.14.0, 1.15.0
    • 1.16.0
    • client, master, rpc, tserver
    • None

    Description

      With the recent RedHat/CentOS 8 update on the cyrus-sasl-gssapi package, Kudu servers and C++ clients can no longer negotiate connections when GSSAPI is involved (that's so for secure clusters where Kerberos-based authentication is a must). In other words, when the cyrus-sasl-gssapi package is upgraded up to 2.1.27-5 version, secure Kudu clusters are no longer functional.

      The issue manifests itself by failed RPC connection negotiation with the following error logged along with the full connection negotiation trace:

      Runtime error: SASL(-15): mechanism too weak for this user: Unable to find a callback: 32775
      

      The breaking change is in the following pull request for cyrus-sasl which has been pulled into the cyrus-sasl-gssapi-2.1.27-5 package: https://github.com/cyrusimap/cyrus-sasl/pull/603 That patch is named as cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch in the SRPM for the cyrus-sasl package.

      The workaround is to roll back the cyrus-sasl-gssapi package back to 2.1.27-1 or earlier versions.

      Attachments

        Issue Links

          Activity

            People

              aserbin Alexey Serbin
              aserbin Alexey Serbin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: