[KUDU-3297] KRPC connection negotiation fails with RedHat/CentOS cyrus-sasl-gssapi-2.1.27-5 for secure clusters - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.7.1, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.11.1, 1.13.0, 1.14.0, 1.15.0
Fix Version/s: 1.16.0
Component/s: client, master, rpc, tserver
Labels:
None

Code Review:
http://gerrit.cloudera.org:8080/17619

Description

With the recent RedHat/CentOS 8 update on the cyrus-sasl-gssapi package, Kudu servers and C++ clients can no longer negotiate connections when GSSAPI is involved (that's so for secure clusters where Kerberos-based authentication is a must). In other words, when the cyrus-sasl-gssapi package is upgraded up to 2.1.27-5 version, secure Kudu clusters are no longer functional.

The issue manifests itself by failed RPC connection negotiation with the following error logged along with the full connection negotiation trace:

Runtime error: SASL(-15): mechanism too weak for this user: Unable to find a callback: 32775

The breaking change is in the following pull request for cyrus-sasl which has been pulled into the cyrus-sasl-gssapi-2.1.27-5 package: https://github.com/cyrusimap/cyrus-sasl/pull/603 That patch is named as cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch in the SRPM for the cyrus-sasl package.

The workaround is to roll back the cyrus-sasl-gssapi package back to 2.1.27-1 or earlier versions.

Attachments

Issue Links

relates to

IMPALA-10392 Cipher-specific BE tests fail on Centos 8.2

Resolved

Activity

People

Assignee:: Alexey Serbin

Reporter:: Alexey Serbin

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 22/Jun/21 19:01

Updated:: 14/Dec/21 02:40

Resolved:: 22/Jun/21 20:43