Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Zookeeper kerberos issue or quorum issue?

Labels:
avatar
author-rank sumit.nigam
Contributor

Created on ‎11-23-2015 01:01 AM - edited ‎09-16-2022 02:50 AM

I use a kerberized cluster and once in a while I notice following error in my zookeeper client logs:

 

15/11/15 15:46:53 ERROR client.ZooKeeperSaslClient: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Connection reset)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.


15/11/15 15:46:53 ERROR zookeeper.ClientCnxn: SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Connection reset)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.

 

So, I had following doubt with this:

 

It is showing actual error to be connection reset. I am not sure connection RST to what? Is it to Kerberos KDC? But the log further seems to indicate that connection issue happened when connecting to ZK quorum member. So, in that case the RST flag is recd from ZK quorum member?

 

Thanks,

Sumit

12,923 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Harsh J author-rank
Mentor

Created ‎12-02-2015 10:41 AM

Yes, the Mechanism level: sub-codes usually pertain to operations within the context of a KDC or local Kerberos work. The connection reset being a network error is therefore alluding to the Client->KDC connection being reset.

The ZKs would auth to each other in secure mode, but the specific failure here is within just the auth layer (than the higher levels of ZK connectivity and responses).

View solution in original post

13,083 Views
0 Kudos
1
3 REPLIES 3

avatar
author-rank Harsh J author-rank
Mentor

Created ‎12-02-2015 10:41 AM

Yes, the Mechanism level: sub-codes usually pertain to operations within the context of a KDC or local Kerberos work. The connection reset being a network error is therefore alluding to the Client->KDC connection being reset.

The ZKs would auth to each other in secure mode, but the specific failure here is within just the auth layer (than the higher levels of ZK connectivity and responses).
13,084 Views
0 Kudos
1

avatar
author-rank sumit.nigam
Contributor

Created ‎12-02-2015 07:45 PM

Thanks Harsh,

 

So, to generalize, the mechanism level subcodes can always be taken as some failure in communicating with KDC, right?

 

I also see that despite this error, ZK does continue to function ... so is this error to be really treated seriously?

 

Thanks again.

12,878 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎12-06-2015 09:23 PM

> So, to generalize, the mechanism level subcodes can always be taken as some failure in communicating with KDC, right?

Yes, it can be always taken as something wrong in the Kerberos layer (not necessarily only KDC, could also be things such as bad enctypes in keytab, etc., but always Kerberos mechanism related)

> I also see that despite this error, ZK does continue to function ... so is this error to be really treated seriously?

Did a retry of the auth perhaps succeed? Its not normal for it to repeat the errors.
12,809 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements