ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-1510

Should not log SASL errors for non-secure usage

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.4.3
    • Fix Version/s: 3.4.4, 3.5.0
    • Component/s: java client
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Since SASL support was added, all connections with non-secure clients have started logging messages like:

      2012-07-01 02:13:34,986 WARN org.apache.zookeeper.client.ZooKeeperSaslClient: SecurityException: java.lang.SecurityException: Unable to locate a login configuration occurred when trying to find JAAS configuration.
      2012-07-01 02:13:34,986 INFO org.apache.zookeeper.client.ZooKeeperSaslClient: Client will not SASL-authenticate because the default JAAS configuration section 'Client' could not be found. If you are not using SASL, you may ignore this. On the other hand, if you expected SASL to work, please fix your JAAS configuration.

      Despite the "you may ignore this" qualifier, I've seen a lot of users confused by this message. Instead, it would be better to either log at DEBUG level, or piggy back the SASL information onto the "Opening socket connection" message (eg "Opening socket connection to X:2181. Will not use SASL because no configuration was located.")

      1. zookeeper-1510.txt
        4 kB
        Todd Lipcon
      2. zookeeper-1510.txt
        4 kB
        Patrick Hunt

        Issue Links

          Activity

          Todd Lipcon created issue -
          Todd Lipcon made changes -
          Field Original Value New Value
          Assignee Todd Lipcon [ tlipcon ]
          Hide
          Todd Lipcon added a comment -

          Attached patch changes the SASL-related message to piggy-back on the "Connecting" message except for the true error case. I tested by running the existing unit tests and looking at the logs. Examples:

          Successfully found config:

          Opening socket connection to server todd-w510/127.0.0.1:11221. Will attempt to SASL-authenticate using Login Context section 'MyZookeeperClient'
          

          Failed configuration:

          2012-07-16 13:00:50,723 [myid:] - WARN  [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@942] - SASL configuration failed: javax.security.auth.login.LoginException: Client cannot SASL-authenticate because the specified JAAS configuration section 'MyZookeeperClient' could not be found. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
          2012-07-16 13:00:50,726 [myid:] - INFO  [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/127.0.0.1:11221
          

          Unconfigured:

          2012-07-16 13:02:31,501 [myid:] - INFO  [main-SendThread(todd-w510:2181):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/0:0:0:0:0:0:0:1:2181. Will not attempt to authenticate using SASL (Unable to locate a login configuration)
          
          Show
          Todd Lipcon added a comment - Attached patch changes the SASL-related message to piggy-back on the "Connecting" message except for the true error case. I tested by running the existing unit tests and looking at the logs. Examples: Successfully found config: Opening socket connection to server todd-w510/127.0.0.1:11221. Will attempt to SASL-authenticate using Login Context section 'MyZookeeperClient' Failed configuration: 2012-07-16 13:00:50,723 [myid:] - WARN [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@942] - SASL configuration failed: javax.security.auth.login.LoginException: Client cannot SASL-authenticate because the specified JAAS configuration section 'MyZookeeperClient' could not be found. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. 2012-07-16 13:00:50,726 [myid:] - INFO [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/127.0.0.1:11221 Unconfigured : 2012-07-16 13:02:31,501 [myid:] - INFO [main-SendThread(todd-w510:2181):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/0:0:0:0:0:0:0:1:2181. Will not attempt to authenticate using SASL (Unable to locate a login configuration)
          Todd Lipcon made changes -
          Attachment zookeeper-1510.txt [ 12536705 ]
          Hide
          Eugene Koontz added a comment -

          Looks like a good change to me. It's always interesting to hear users' reactions to what they're seeing.

          Show
          Eugene Koontz added a comment - Looks like a good change to me. It's always interesting to hear users' reactions to what they're seeing.
          Eugene Koontz made changes -
          Link This issue is related to ZOOKEEPER-1512 [ ZOOKEEPER-1512 ]
          Hide
          Patrick Hunt added a comment -

          A couple minor tweaks to the patch, including adding some javadoc for the new method/field.

          Show
          Patrick Hunt added a comment - A couple minor tweaks to the patch, including adding some javadoc for the new method/field.
          Patrick Hunt made changes -
          Attachment zookeeper-1510.txt [ 12538821 ]
          Patrick Hunt made changes -
          Fix Version/s 3.4.4 [ 12319841 ]
          Fix Version/s 3.5.0 [ 12316644 ]
          Patrick Hunt made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt
          against trunk revision 1368203.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt against trunk revision 1368203. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//console This message is automatically generated.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt
          against trunk revision 1368203.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt against trunk revision 1368203. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//console This message is automatically generated.
          Hide
          Patrick Hunt added a comment -

          Thanks Todd!

          Show
          Patrick Hunt added a comment - Thanks Todd!
          Patrick Hunt made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Hadoop Flags Reviewed [ 10343 ]
          Resolution Fixed [ 1 ]
          Hide
          Hudson added a comment -

          Integrated in ZooKeeper-trunk #1633 (See https://builds.apache.org/job/ZooKeeper-trunk/1633/)
          ZOOKEEPER-1510. Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) Missed a bit in the prior commit (Revision 1368299)
          ZOOKEEPER-1510. Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) (Revision 1368267)

          Result = SUCCESS
          phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368299
          Files :

          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java
          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java

          phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368267
          Files :

          • /zookeeper/trunk/CHANGES.txt
          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java
          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
          Show
          Hudson added a comment - Integrated in ZooKeeper-trunk #1633 (See https://builds.apache.org/job/ZooKeeper-trunk/1633/ ) ZOOKEEPER-1510 . Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) Missed a bit in the prior commit (Revision 1368299) ZOOKEEPER-1510 . Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) (Revision 1368267) Result = SUCCESS phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368299 Files : /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368267 Files : /zookeeper/trunk/CHANGES.txt /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
          Eugene Koontz made changes -
          Link This issue is related to ZOOKEEPER-1623 [ ZOOKEEPER-1623 ]
          Hide
          jay vyas added a comment -

          So, just curious for those of us on older ZK versions where they still appear: what is the meaning of these logs anyways? will this mean that possibly a client wont work properly – i.e. is this a real error or just a warning. I seem to have these logs WITHOUT the "you may ignore this" message in an hbase cluster with external zk management.

          Show
          jay vyas added a comment - So, just curious for those of us on older ZK versions where they still appear: what is the meaning of these logs anyways? will this mean that possibly a client wont work properly – i.e. is this a real error or just a warning. I seem to have these logs WITHOUT the "you may ignore this" message in an hbase cluster with external zk management.
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Patch Available Patch Available
          16d 21m 1 Patrick Hunt 01/Aug/12 21:06
          Patch Available Patch Available Resolved Resolved
          1h 35m 1 Patrick Hunt 01/Aug/12 22:41

            People

            • Assignee:
              Todd Lipcon
              Reporter:
              Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development