[jira] [Updated] (HADOOP-11973) Some ZkDelegationTokenSecretManager znodes do not have ACLs

2015-05-18 Thread Gregory Chanan (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-11973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gregory Chanan updated HADOOP-11973:

Status: Patch Available  (was: Open)

 Some ZkDelegationTokenSecretManager znodes do not have ACLs
 ---

 Key: HADOOP-11973
 URL: https://issues.apache.org/jira/browse/HADOOP-11973
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.6.0
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Attachments: HADOOP-11973.patch


 I recently added an ACL Provider to the curator framework instance I pass to 
 the ZkDelegationTokenSecretManager, and notice some strangeness around ACLs.
 I set: zk-dt-secret-manager.znodeWorkingPath to:
 solr/zkdtsm
 and notice that
 /solr/zkdtsm/
 /solr/zkdtsm/ZKDTSMRoot
 do not have ACLs
 but all the znodes under /solr/zkdtsm/ZKDTSMRoot have ACLs.  From adding some 
 logging, it looks like the ACLProvider is never called for /solr/zkdtsm and 
 /solr/zkdtsm/ZKDTSMRoot.  I don't know if that's a Curator or 
 ZkDelegationTokenSecretManager issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (HADOOP-11973) Some ZkDelegationTokenSecretManager znodes do not have ACLs

2015-05-18 Thread Gregory Chanan (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-11973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gregory Chanan updated HADOOP-11973:

Attachment: HADOOP-11973.patch

Here's a patch that addresses the issue and has a test.

Here's a description I wrote in CURATOR-221:
{quote}
Yes, although in my case it's a bit complicated. If you look at HADOOP-11973, 
to keep the external vs internal client impl similar, I want to initialize the 
final CuratorFramework object in the constructor, which means I want to use the 
namespace-aware version. So, I could create the nodes before I call 
usingNamespace, but then I have to deal with exception handling, which I don't 
want to do in the constructor. So essentially I have to do:

call usingNamespace(ns) in the constructor
in startThreads, call usingNamespace(null) and then create the parents 
manually.
{quote}

 Some ZkDelegationTokenSecretManager znodes do not have ACLs
 ---

 Key: HADOOP-11973
 URL: https://issues.apache.org/jira/browse/HADOOP-11973
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.6.0
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Attachments: HADOOP-11973.patch


 I recently added an ACL Provider to the curator framework instance I pass to 
 the ZkDelegationTokenSecretManager, and notice some strangeness around ACLs.
 I set: zk-dt-secret-manager.znodeWorkingPath to:
 solr/zkdtsm
 and notice that
 /solr/zkdtsm/
 /solr/zkdtsm/ZKDTSMRoot
 do not have ACLs
 but all the znodes under /solr/zkdtsm/ZKDTSMRoot have ACLs.  From adding some 
 logging, it looks like the ACLProvider is never called for /solr/zkdtsm and 
 /solr/zkdtsm/ZKDTSMRoot.  I don't know if that's a Curator or 
 ZkDelegationTokenSecretManager issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (HADOOP-11973) Some ZkDelegationTokenSecretManager znodes do not have ACLs

2015-05-18 Thread Gregory Chanan (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-11973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gregory Chanan updated HADOOP-11973:

Attachment: HADOOP-11973v2.patch

Fix whitespace/style and unset thread local at end of test so other tests are 
not affected.

 Some ZkDelegationTokenSecretManager znodes do not have ACLs
 ---

 Key: HADOOP-11973
 URL: https://issues.apache.org/jira/browse/HADOOP-11973
 Project: Hadoop Common
  Issue Type: Bug
  Components: security
Affects Versions: 2.6.0
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Attachments: HADOOP-11973.patch, HADOOP-11973v2.patch


 I recently added an ACL Provider to the curator framework instance I pass to 
 the ZkDelegationTokenSecretManager, and notice some strangeness around ACLs.
 I set: zk-dt-secret-manager.znodeWorkingPath to:
 solr/zkdtsm
 and notice that
 /solr/zkdtsm/
 /solr/zkdtsm/ZKDTSMRoot
 do not have ACLs
 but all the znodes under /solr/zkdtsm/ZKDTSMRoot have ACLs.  From adding some 
 logging, it looks like the ACLProvider is never called for /solr/zkdtsm and 
 /solr/zkdtsm/ZKDTSMRoot.  I don't know if that's a Curator or 
 ZkDelegationTokenSecretManager issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)