Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-3297

KRPC connection negotiation fails with RedHat/CentOS cyrus-sasl-gssapi-2.1.27-5 for secure clusters

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.7.1, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.11.1, 1.13.0, 1.14.0, 1.15.0
    • Fix Version/s: 1.16.0
    • Component/s: client, master, rpc, tserver
    • Labels:
      None

      Description

      With the recent RedHat/CentOS 8 update on the cyrus-sasl-gssapi package, Kudu servers and C++ clients can no longer negotiate connections when GSSAPI is involved (that's so for secure clusters where Kerberos-based authentication is a must). In other words, when the cyrus-sasl-gssapi package is upgraded up to 2.1.27-5 version, secure Kudu clusters are no longer functional.

      The issue manifests itself by failed RPC connection negotiation with the following error logged along with the full connection negotiation trace:

      Runtime error: SASL(-15): mechanism too weak for this user: Unable to find a callback: 32775
      

      The breaking change is in the following pull request for cyrus-sasl which has been pulled into the cyrus-sasl-gssapi-2.1.27-5 package: https://github.com/cyrusimap/cyrus-sasl/pull/603 That patch is named as cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch in the SRPM for the cyrus-sasl package.

      The workaround is to roll back the cyrus-sasl-gssapi package back to 2.1.27-1 or earlier versions.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                aserbin Alexey Serbin
                Reporter:
                aserbin Alexey Serbin
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: