ceache
commented
2 years ago Hi,
Thank you for the detailed report.
I am assuming it only works because, in addition to the code change, you pass a specific "host": "hadoop.72c0cf82_cd45_448a_aa45_da92c3f0a29b.com" option.
It looks to me that you are failing kerberos' auth because your zookeeper server does not have a keytab for "node-master1phmI.mrs-skci.com" but only for the above hostname. You should look at the rdns krb5.conf option ( https://web.mit.edu/kerberos/krb5-1.16/doc/admin/conf_files/krb5_conf.html) to understand how kerberos transforms a DNS hostname into a principal and make sure your server has the right service principal (klist -k).
I hope this helps
On Fri, May 6, 2022, 14:05 Fawkes&Chen @.***> wrote:
Expected Behavior
I want to use KazooClient to connect zookeeper by kerberos,but failed to auth. Actual Behavior
auth success
my test code: `import os import subprocess import time from kazoo.client import KazooClient Ensure we have a client ticket
subprocess.check_call( [ "kinit", "-kt",
os.path.expandvars("/opt/Bigdata/om-server_8.1.2.1/apache-tomcat-8.5.69/webapps/web/components/ClickHouse/config/1_ClickHouse/clickhouse.keytab"), @.***_CD45_448A_AA45_DA92C3F0A29B.COM", ] )
try: client = KazooClient(hosts="node-master1phmI.mrs-skci.com:2181",sasl_options={"mechanism": "GSSAPI", "service": "zookeeper", "host":" hadoop.72c0cf82_cd45_448a_aa45_da92c3f0a29b.com"}, timeout=5) client.start()
give ZK a chance to copy data to other node
time.sleep(0.1) client.create(path='/cfy') client.create(path='/cfy/child1') client.create(path='/cfy/child2') ret = client.get_children(path='/cfy') print(ret) finally: client.delete(path='/cfy', recursive=True) client.stop() client.close()`
If I modify Kazoo's source code"kazoo/protocol/connection.py", comment out "host=host" in line 730 of the file. and I can auth success, [image: image] https://user-images.githubusercontent.com/22337511/167137018-7caea325-3cd3-403b-9f65-2cec10ba4232.png Specifications
- Kazoo version:2.8.0
- Result of pip list command:
- Zookeeper version:3.6.5
- Zookeeper configuration: put here any useful ZK configuration (authentication, encryption, number of ZK members, number of (concurrent?) clients, Java version, krb5 version, etc.)
- Python version: 3.9
- OS: linux
— Reply to this email directly, view it on GitHub https://github.com/python-zk/kazoo/issues/665, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIFTHXCY2GCUOU2WCOETFTVIUKLLANCNFSM5VIDNBCQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Expected Behavior
I want to use KazooClient to connect zookeeper by kerberos,but failed to auth.
Actual Behavior
auth success
my test code:
`import os import subprocess import time from kazoo.client import KazooClient
subprocess.check_call( [ "kinit", "-kt", os.path.expandvars("/opt/Bigdata/om-server_8.1.2.1/apache-tomcat-8.5.69/webapps/web/components/ClickHouse/config/1_ClickHouse/clickhouse.keytab"), "clickhouse@72C0CF82_CD45_448A_AA45_DA92C3F0A29B.COM", ] )
try: client = KazooClient(hosts="node-master1phmI.mrs-skci.com:2181",sasl_options={"mechanism": "GSSAPI", "service": "zookeeper", "host":"hadoop.72c0cf82_cd45_448a_aa45_da92c3f0a29b.com"}, timeout=5) client.start()
give ZK a chance to copy data to other node
finally: client.delete(path='/cfy', recursive=True) client.stop() client.close()`
If I modify Kazoo's source code"kazoo/protocol/connection.py", comment out "host=host" in line 730 of the file. and I can auth success,
test result
Specifications
pip listcommand: