[
https://issues.apache.org/jira/browse/KAFKA-5616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhu fangbo updated KAFKA-5616:
------------------------------
Description:
I want to upgrade my unsecure kafka cluster to a secure one whitch support
SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way I
found to upgrade is to shutdown all brokers first and then restart all brokers
with inter-broker security configured
h3. Before upgrade
Here is the secure configuration of broker 1:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
sasl.enabled.mechanisms=PLAIN
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin{quote}
I want to setup a cluster support both unsecure and secure client-broker
connect, so i add a new endpoint to listeners with port = 9099
h3. Start rolling upgrade
First, I restart broker-1 which is not the controller. below is part of
server.log shows start complete:
!http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=190,width=1390,hspace=1,vspace=4!
seemed well, but there are no log print to show the replicamanger was
started,and broker1 not go back to the ISR
!http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|height=200,width=800!
Besides, the preferred replica leader election was also failed
!http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|height=100,width=1200!
h3. After rolling upgrade for all brokers
After upgrade all brokers, it seems each broker can not connect to other
brokers
!http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg| height=200,width=800!
I restart broker 2 at last which is the controller, then broker 3 came to be
controller, and it also failed to perform preferred replica leader election
!http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|height=200,width=800!
h3. Shutdown all and restart
The cluster works well when I shutdown all brokers and restart all with
inter-broker security configurations like this:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
#advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN{quote}
replica fetch thread was started
!http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|height=200,width=800!
and ISR was normal
!http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|height=200,width=800!
was:
I want to upgrade my unsecure kafka cluster to a secure one whitch support
SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way I
found to upgrade is to shutdown all brokers first and then restart all brokers
with inter-broker security configured
h3. Before upgrade
Here is the secure configuration of broker 1:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
sasl.enabled.mechanisms=PLAIN
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin{quote}
I want to setup a cluster support both unsecure and secure client-broker
connect, so i add a new endpoint to listeners with port = 9099
h3. Start rolling upgrade
First, I restart broker-1 which is not the controller. below is part of
server.log shows start complete:
!http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=190,width=1390,hspace=1,vspace=4!
seemed well, but there are no log print to show the replicamanger was
started,and broker1 not go back to the ISR
!http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|height=200,width=800!
Besides, the preferred replica leader election was also failed
!http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|height=200,width=1200!
h3. After rolling upgrade for all brokers
After upgrade all brokers, it seems each broker can not connect to other
brokers
!http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg| height=200,width=800!
I restart broker 2 at last which is the controller, then broker 3 came to be
controller, and it also failed to perform preferred replica leader election
!http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|height=200,width=800!
h3. Shutdown all and restart
The cluster works well when I shutdown all brokers and restart all with
inter-broker security configurations like this:
{quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
#advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN{quote}
replica fetch thread was started
!http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|height=200,width=800!
and ISR was normal
!http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|height=200,width=800!
> unable perform a rolling upgrade from a non-secure to a secure Kafka cluster
> ----------------------------------------------------------------------------
>
> Key: KAFKA-5616
> URL: https://issues.apache.org/jira/browse/KAFKA-5616
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 0.10.1.1
> Reporter: zhu fangbo
>
> I want to upgrade my unsecure kafka cluster to a secure one whitch support
> SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way I
> found to upgrade is to shutdown all brokers first and then restart all
> brokers with inter-broker security configured
> h3. Before upgrade
> Here is the secure configuration of broker 1:
> {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
> sasl.enabled.mechanisms=PLAIN
> authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
> super.users=User:admin{quote}
> I want to setup a cluster support both unsecure and secure client-broker
> connect, so i add a new endpoint to listeners with port = 9099
> h3. Start rolling upgrade
> First, I restart broker-1 which is not the controller. below is part of
> server.log shows start complete:
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=190,width=1390,hspace=1,vspace=4!
> seemed well, but there are no log print to show the replicamanger was
> started,and broker1 not go back to the ISR
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|height=200,width=800!
> Besides, the preferred replica leader election was also failed
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|height=100,width=1200!
> h3. After rolling upgrade for all brokers
> After upgrade all brokers, it seems each broker can not connect to other
> brokers
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg| height=200,width=800!
> I restart broker 2 at last which is the controller, then broker 3 came to be
> controller, and it also failed to perform preferred replica leader election
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|height=200,width=800!
> h3. Shutdown all and restart
> The cluster works well when I shutdown all brokers and restart all with
> inter-broker security configurations like this:
> {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099
> #advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.mechanism.inter.broker.protocol=PLAIN{quote}
> replica fetch thread was started
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|height=200,width=800!
> and ISR was normal
> !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|height=200,width=800!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
