[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14276210#comment-14276210
]
Gregory Chanan commented on SOLR-6915:
--------------------------------------
Thanks Mark!
I was able to reproduce with failures on my local machine on jdk7, so it
appears to be a jdk7 vs jdk8 issue. Your patches fixed the issue for me as
well. This java bug seems at least related to what we are seeing:
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8004488 (explains Krb5Util
I think, not sure about the KeyTab permission).
I also tried an ibm jdk, given my above comment and it failed before getting to
the permission checks. It seems like the JAAS configuration needs to be a bit
different on an IBM jdk. I'll investigate and report back.
> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -------------------------------------------------
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
> Issue Type: Improvement
> Components: SolrCloud
> Reporter: Gregory Chanan
> Assignee: Gregory Chanan
> Fix For: 5.0, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log
>
>
> We should provide a ZkACLProvider that requires SASL authentication. This
> provider will be useful for administration in a kerberos environment. In
> such an environment, the administrator wants solr to authenticate to
> zookeeper using SASL, since this is only way to authenticate with zookeeper
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a
> scenario where solr owns (is the only writer of) the non-config znodes, but
> some set of trusted users are allowed to modify the configs. It's hard to
> predict all the possibilities here, but one model that seems generally useful
> is to have a model where solr itself owns all the znodes and all actions that
> require changing the znodes are routed to Solr APIs. That seems simple and
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really
> have any infrastructure for testing kerberos integration in unit tests.
> Internally, I've been testing using kerberos-enabled VM clusters, but this
> isn't great since we won't notice any breakages until someone actually spins
> up a VM. So part of this JIRA is to provide some infrastructure for testing
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
