ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-1510

Should not log SASL errors for non-secure usage

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.4.3
    • Fix Version/s: 3.4.4, 3.5.0
    • Component/s: java client
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Since SASL support was added, all connections with non-secure clients have started logging messages like:

      2012-07-01 02:13:34,986 WARN org.apache.zookeeper.client.ZooKeeperSaslClient: SecurityException: java.lang.SecurityException: Unable to locate a login configuration occurred when trying to find JAAS configuration.
      2012-07-01 02:13:34,986 INFO org.apache.zookeeper.client.ZooKeeperSaslClient: Client will not SASL-authenticate because the default JAAS configuration section 'Client' could not be found. If you are not using SASL, you may ignore this. On the other hand, if you expected SASL to work, please fix your JAAS configuration.

      Despite the "you may ignore this" qualifier, I've seen a lot of users confused by this message. Instead, it would be better to either log at DEBUG level, or piggy back the SASL information onto the "Opening socket connection" message (eg "Opening socket connection to X:2181. Will not use SASL because no configuration was located.")

      1. zookeeper-1510.txt
        4 kB
        Todd Lipcon
      2. zookeeper-1510.txt
        4 kB
        Patrick Hunt

        Issue Links

          Activity

          Hide
          jay vyas added a comment -

          So, just curious for those of us on older ZK versions where they still appear: what is the meaning of these logs anyways? will this mean that possibly a client wont work properly – i.e. is this a real error or just a warning. I seem to have these logs WITHOUT the "you may ignore this" message in an hbase cluster with external zk management.

          Show
          jay vyas added a comment - So, just curious for those of us on older ZK versions where they still appear: what is the meaning of these logs anyways? will this mean that possibly a client wont work properly – i.e. is this a real error or just a warning. I seem to have these logs WITHOUT the "you may ignore this" message in an hbase cluster with external zk management.
          Hide
          Hudson added a comment -

          Integrated in ZooKeeper-trunk #1633 (See https://builds.apache.org/job/ZooKeeper-trunk/1633/)
          ZOOKEEPER-1510. Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) Missed a bit in the prior commit (Revision 1368299)
          ZOOKEEPER-1510. Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) (Revision 1368267)

          Result = SUCCESS
          phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368299
          Files :

          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java
          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java

          phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368267
          Files :

          • /zookeeper/trunk/CHANGES.txt
          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java
          • /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
          Show
          Hudson added a comment - Integrated in ZooKeeper-trunk #1633 (See https://builds.apache.org/job/ZooKeeper-trunk/1633/ ) ZOOKEEPER-1510 . Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) Missed a bit in the prior commit (Revision 1368299) ZOOKEEPER-1510 . Should not log SASL errors for non-secure usage (Todd Lipcon via phunt) (Revision 1368267) Result = SUCCESS phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368299 Files : /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java phunt : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1368267 Files : /zookeeper/trunk/CHANGES.txt /zookeeper/trunk/src/java/main/org/apache/zookeeper/ClientCnxn.java /zookeeper/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java
          Hide
          Patrick Hunt added a comment -

          Thanks Todd!

          Show
          Patrick Hunt added a comment - Thanks Todd!
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt
          against trunk revision 1368203.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt against trunk revision 1368203. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1153//console This message is automatically generated.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt
          against trunk revision 1368203.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12538821/zookeeper-1510.txt against trunk revision 1368203. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1152//console This message is automatically generated.
          Hide
          Patrick Hunt added a comment -

          A couple minor tweaks to the patch, including adding some javadoc for the new method/field.

          Show
          Patrick Hunt added a comment - A couple minor tweaks to the patch, including adding some javadoc for the new method/field.
          Hide
          Eugene Koontz added a comment -

          Looks like a good change to me. It's always interesting to hear users' reactions to what they're seeing.

          Show
          Eugene Koontz added a comment - Looks like a good change to me. It's always interesting to hear users' reactions to what they're seeing.
          Hide
          Todd Lipcon added a comment -

          Attached patch changes the SASL-related message to piggy-back on the "Connecting" message except for the true error case. I tested by running the existing unit tests and looking at the logs. Examples:

          Successfully found config:

          Opening socket connection to server todd-w510/127.0.0.1:11221. Will attempt to SASL-authenticate using Login Context section 'MyZookeeperClient'
          

          Failed configuration:

          2012-07-16 13:00:50,723 [myid:] - WARN  [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@942] - SASL configuration failed: javax.security.auth.login.LoginException: Client cannot SASL-authenticate because the specified JAAS configuration section 'MyZookeeperClient' could not be found. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
          2012-07-16 13:00:50,726 [myid:] - INFO  [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/127.0.0.1:11221
          

          Unconfigured:

          2012-07-16 13:02:31,501 [myid:] - INFO  [main-SendThread(todd-w510:2181):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/0:0:0:0:0:0:0:1:2181. Will not attempt to authenticate using SASL (Unable to locate a login configuration)
          
          Show
          Todd Lipcon added a comment - Attached patch changes the SASL-related message to piggy-back on the "Connecting" message except for the true error case. I tested by running the existing unit tests and looking at the logs. Examples: Successfully found config: Opening socket connection to server todd-w510/127.0.0.1:11221. Will attempt to SASL-authenticate using Login Context section 'MyZookeeperClient' Failed configuration: 2012-07-16 13:00:50,723 [myid:] - WARN [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@942] - SASL configuration failed: javax.security.auth.login.LoginException: Client cannot SASL-authenticate because the specified JAAS configuration section 'MyZookeeperClient' could not be found. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. 2012-07-16 13:00:50,726 [myid:] - INFO [main-SendThread(todd-w510:11221):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/127.0.0.1:11221 Unconfigured : 2012-07-16 13:02:31,501 [myid:] - INFO [main-SendThread(todd-w510:2181):ClientCnxn$SendThread@952] - Opening socket connection to server todd-w510/0:0:0:0:0:0:0:1:2181. Will not attempt to authenticate using SASL (Unable to locate a login configuration)

            People

            • Assignee:
              Todd Lipcon
              Reporter:
              Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development