ZooKeeper authentication error

Question

I'm trying to login to ZK using kerberos, and then perform some operations. However, the following doesn't work:

2016-02-19 16:31:32,572 [myid:] - INFO  [Thread-1:Login@397] -Initiating re-login for <me/[email protected]>

2016-02-19 16:31:32,588 [myid:] - INFO  [Thread-1:Login@301] - TGT valid starting at:        Fri Feb 19 16:31:32 PST 2016
2016-02-19 16:31:32,588 [myid:] - INFO  [Thread-1:Login@302] - TGT expires:                  Fri Feb 19 16:46:32 PST 2016
2016-02-19 16:31:32,588 [myid:] - INFO  [Thread-1:Login$1@181] - TGT refresh sleeping until: Fri Feb 19 16:43:50 PST 2016

[zk: hostname(CONNECTED) 11] 
[zk: hostname(CONNECTED) 11] getAcl /zk-test
'sasl,'me/[email protected]@: cdrwa
[zk: hostname(CONNECTED) 12] ls /zk-test
Authentication is not valid : /zk-test

Even though I've already logged in using the principal me/[email protected], and the ACL for /zk-test is sasl:me/[email protected]:cdrwa, I still cannot do simple stuff like ls /zk-test. Anyone know why? Thanks.

Answer 1

I wasted an hour of my life on this (thanks to poor documentation of zookeeper - everything is scattered), I want to make sure no one else does, thankfully someone who knows everything at our workplace helped me out ;)

Do this before you start zkCli -server blahblah:2181

    export JVMFLAGS="-Djava.security.auth.login.config=/tmp/jaas.conf -Dsun.net.spi.nameservice.provider.1=dns,sun"

make sure you have jaas conf in tmp folder - I used something like this -

     Server {
      org.apache.zookeeper.server.auth.DigestLoginModule required
      user_super="adminsecret"
      user_bob="bobsecret"
      user_dev="devpassword";
    };
    Client{
      org.apache.zookeeper.server.auth.DigestLoginModule required
      username="blah"
      password="blahblah";
    };

it will work now.

Answer 2

jaas.conf file is needed:

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/home/myUser/myUser.keytab"
  storeKey=true
  useTicketCache=false
  principal="[email protected]";
};

Set environment variables for you current session:

export JVMFLAGS="-Djava.security.auth.login.config=/home/myUser/jaas.conf"

Finally connect to server:

zookeeper-client -server myServerIp

I've written a blog post about this as a note to self that should be a bit more complete.

Answer 3

another way to start yarn is to change yarn config:

yarn.resourcemanager.zk-state-store.parent-path /rmstore
yarn.resourcemanager.ha.automatic-failover.zk-base-path /yarn-leader-election

change the path to a new location ,so that zk auth error can be avoid.

FIY? https://hadoop.apache.org/docs/r2.6.0/hadoop-yarn/hadoop-yarn-common/yarn-default.xml

Answer 4

Why not:

(define median (sorted-list)
  (let* ((len (length sorted-list))
         (mid (floor (/ len 2)))
         (mid-el (list-ref sorted-list mid)))
    (if (even? len)
        (/ (+ (list-ref sorted-list (- mid 1))
              mid-el)
           2)
        mid-el)))

(define merge-two-sorted-lists (sl1 sl2 (acc '()))
  (cond ((empty? sl1) (append (reverse acc) sl2))
        ((empty? sl2) (append (reverse acc) sl1))
        ((< (car sl1) (car sl2)) (merge-two-sorted-lists (cdr sl1) sl2
                                                         (cons (car sl1) acc)))
        (else (merge-two-worted-lists sl1 (cdr sl2) (cons (car sl2) acc)))))

(define median-of-two-sorted-lists (sl1 sl2)
  (median (merge-two-sorted-lists sl1 sl2)))

The median function is translated from Python:

def median(lst):
    n = len(lst)
    s = sorted(lst)
    return (s[n//2-1]/2.0+s[n//2]/2.0, s[n//2])[n % 2] if n else None