[ https://issues.apache.org/jira/browse/KAFKA-5616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
zhu fangbo updated KAFKA-5616: ------------------------------ Description: I want to upgrade my unsecure kafka cluster to a secure one whitch support SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way I found to upgrade is to shutdown all brokers first and then restart all brokers with inter-broker security configured h3. Before upgrade Here is the secure configuration of broker 1: {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099 sasl.enabled.mechanisms=PLAIN authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer super.users=User:admin{quote} I want to setup a cluster support both unsecure and secure client-broker connect, so i add a new endpoint to listeners with port = 9099 h3. Start rolling upgrade First, I restart broker-1 which is not the controller. below is part of server.log shows start complete: !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=190,width=1390,hspace=1,vspace=4! seemed well, but there are no log print to show the replicamanger was started,and broker1 not go back to the ISR !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|height=200,width=800! Besides, the preferred replica leader election was also failed !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|height=100,width=1200! h3. After rolling upgrade for all brokers After upgrade all brokers, it seems each broker can not connect to other brokers !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg| height=200,width=800! I restart broker 2 at last which is the controller, then broker 3 came to be controller, and it also failed to perform preferred replica leader election !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|height=200,width=800! h3. Shutdown all and restart The cluster works well when I shutdown all brokers and restart all with inter-broker security configurations like this: {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099 #advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=PLAIN{quote} replica fetch thread was started !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|height=200,width=800! and ISR was normal !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|height=200,width=800! was: I want to upgrade my unsecure kafka cluster to a secure one whitch support SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way I found to upgrade is to shutdown all brokers first and then restart all brokers with inter-broker security configured h3. Before upgrade Here is the secure configuration of broker 1: {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099 sasl.enabled.mechanisms=PLAIN authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer super.users=User:admin{quote} I want to setup a cluster support both unsecure and secure client-broker connect, so i add a new endpoint to listeners with port = 9099 h3. Start rolling upgrade First, I restart broker-1 which is not the controller. below is part of server.log shows start complete: !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=190,width=1390,hspace=1,vspace=4! seemed well, but there are no log print to show the replicamanger was started,and broker1 not go back to the ISR !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|height=200,width=800! Besides, the preferred replica leader election was also failed !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|height=200,width=1200! h3. After rolling upgrade for all brokers After upgrade all brokers, it seems each broker can not connect to other brokers !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg| height=200,width=800! I restart broker 2 at last which is the controller, then broker 3 came to be controller, and it also failed to perform preferred replica leader election !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|height=200,width=800! h3. Shutdown all and restart The cluster works well when I shutdown all brokers and restart all with inter-broker security configurations like this: {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099 #advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=PLAIN{quote} replica fetch thread was started !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|height=200,width=800! and ISR was normal !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|height=200,width=800! > unable perform a rolling upgrade from a non-secure to a secure Kafka cluster > ---------------------------------------------------------------------------- > > Key: KAFKA-5616 > URL: https://issues.apache.org/jira/browse/KAFKA-5616 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 0.10.1.1 > Reporter: zhu fangbo > > I want to upgrade my unsecure kafka cluster to a secure one whitch support > SASL_PLAINT protocol, but I failed to perfrom rolling upgrade. The only way I > found to upgrade is to shutdown all brokers first and then restart all > brokers with inter-broker security configured > h3. Before upgrade > Here is the secure configuration of broker 1: > {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099 > sasl.enabled.mechanisms=PLAIN > authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer > super.users=User:admin{quote} > I want to setup a cluster support both unsecure and secure client-broker > connect, so i add a new endpoint to listeners with port = 9099 > h3. Start rolling upgrade > First, I restart broker-1 which is not the controller. below is part of > server.log shows start complete: > !http://olt6kofv9.bkt.clouddn.com/17-7-20/25775149.jpg|height=190,width=1390,hspace=1,vspace=4! > seemed well, but there are no log print to show the replicamanger was > started,and broker1 not go back to the ISR > !http://olt6kofv9.bkt.clouddn.com/17-7-20/55734691.jpg|height=200,width=800! > Besides, the preferred replica leader election was also failed > !http://olt6kofv9.bkt.clouddn.com/17-7-20/94837206.jpg|height=100,width=1200! > h3. After rolling upgrade for all brokers > After upgrade all brokers, it seems each broker can not connect to other > brokers > !http://olt6kofv9.bkt.clouddn.com/17-7-20/84863343.jpg| height=200,width=800! > I restart broker 2 at last which is the controller, then broker 3 came to be > controller, and it also failed to perform preferred replica leader election > !http://olt6kofv9.bkt.clouddn.com/17-7-20/70680876.jpg|height=200,width=800! > h3. Shutdown all and restart > The cluster works well when I shutdown all brokers and restart all with > inter-broker security configurations like this: > {quote}listeners=PLAINTEXT://10.45.4.9:9092,SASL_PLAINTEXT://10.45.4.9:9099 > #advertised.listeners=SASL_PLAINTEXT://10.45.4.9:9099 > security.inter.broker.protocol=SASL_PLAINTEXT > sasl.mechanism.inter.broker.protocol=PLAIN{quote} > replica fetch thread was started > !http://olt6kofv9.bkt.clouddn.com/17-7-20/98186199.jpg|height=200,width=800! > and ISR was normal > !http://olt6kofv9.bkt.clouddn.com/17-7-20/13606263.jpg|height=200,width=800! -- This message was sent by Atlassian JIRA (v6.4.14#64029)