subject:"\[jira\] \[Commented\] \(SOLR\-6915\) SaslZkACLProvider and Kerberos Test Using MiniKdc"

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-12-03 Thread Ishan Chattopadhyaya (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037521#comment-15037521
 ] 

Ishan Chattopadhyaya commented on SOLR-6915:


Maybe we should move this discussion to SOLR-7183, where I added a way to black 
list the known bad locales in the util class?

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-12-03 Thread Ishan Chattopadhyaya (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037534#comment-15037534
 ] 

Ishan Chattopadhyaya commented on SOLR-6915:


bq. best solution is to fix MiniKDC
+1, but seems like longer term.

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-12-02 Thread Mark Miller (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037375#comment-15037375
 ] 

Mark Miller commented on SOLR-6915:
---

Another option is just hard coding to one working locale for now right?

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-12-02 Thread Gregory Chanan (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037096#comment-15037096
 ] 

Gregory Chanan commented on SOLR-6915:
--

Ok, ran the test through all the locales on my install of java 9.  Here's what 
failed:
ar_JO
dz_BT
ar_SA
fa_AF
ar_TD
ar_EG
ne_IN
ar_SD
ar_KM
fa_IR
fa
ne
my
ar_IL
ar_SY
ar_PS
ur_IN
ar_YE
ps
uz_UZ_#Cyrl
mr_IN
uz
ar_OM
uz_UZ_#Latn
bn
bn_BD
ps_AF
mr
dz
bn_IN
ks__#Arab
ar_SS
ar_ER
th_TH_TH_#u-nu-thai
ar_SO
uz__#Arab
ar_AE
as
my_MM
ar_BH
ja_JP_JP_#u-ca-japanese
uz__#Cyrl
ne_NP
uz_AF_#Arab
ks
as_IN
ar_IQ
ar_QA
ar
uz__#Latn
ks_IN_#Arab
ar_001
ar_KW
ar_DJ

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-11-30 Thread Gregory Chanan (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15032710#comment-15032710
 ] 

Gregory Chanan commented on SOLR-6915:
--

bq. This is still failing fairly frequently on Jenkins runs, particularly on 
Java 9 (eg http://jenkins.thetaphi.de/job/Lucene-Solr-5.x-Linux/14737/). Maybe 
the thing to do is to wrap the MiniKDC startup method in an assumeTrue(), if we 
know there are certain locales that break this?

I think that's more or less what was done in SOLR-7183.  I think the issue is 
that just maintains a list of known bad locales instead of running checks on 
the locales to programatically figure out what was wrong.  And there are new 
locales in JDK9.  So easiest thing to do is add more to the list, medium 
solution is to runs checks on the locale, best solution is to fix MiniKDC.

Just a note: http://jenkins.thetaphi.de/job/Lucene-Solr-5.x-Linux/14789/ fails 
with ar_TD

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-11-25 Thread Alan Woodward (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15026468#comment-15026468
 ] 

Alan Woodward commented on SOLR-6915:
-

This is still failing fairly frequently on Jenkins runs, particularly on Java 9 
(eg http://jenkins.thetaphi.de/job/Lucene-Solr-5.x-Linux/14737/).  Maybe the 
thing to do is to wrap the MiniKDC startup method in an assumeTrue(), if we 
know there are certain locales that break this?

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-09-25 Thread Gregory Chanan (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14908365#comment-14908365
 ] 

Gregory Chanan commented on SOLR-6915:
--

Great.  I seem to recall that the latest releases weren't compatible with 
whatever MiniKDC was expecting, so we may need Hadoop MiniKDC to adopt and 
release those changes first.

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-09-25 Thread Uwe Schindler (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14908023#comment-14908023
 ] 

Uwe Schindler commented on SOLR-6915:
-

DIRAPI-219 is now solved. Looks like a bugfix release was done.

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
>  Issue Type: Improvement
>  Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Fix For: 5.1, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-08-22 Thread Uwe Schindler (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708211#comment-14708211
 ] 

Uwe Schindler commented on SOLR-6915:
-

This happened again last night with locale {{uz_UZ_#Cyrl}}

We should maybe fix the test's locale

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.1, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-08-22 Thread Uwe Schindler (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708234#comment-14708234
]

Uwe Schindler commented on SOLR-6915:
-

It can fail because it uses {{Calendar.getDefault()}}, hwich is the main issue
with this code.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.1, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

We should provide a ZkACLProvider that requires SASL authentication. This
provider will be useful for administration in a kerberos environment. In
such an environment, the administrator wants solr to authenticate to
zookeeper using SASL, since this is only way to authenticate with zookeeper
via kerberos.
The authorization model in such a setup can vary, e.g. you can imagine a
scenario where solr owns (is the only writer of) the non-config znodes, but
some set of trusted users are allowed to modify the configs. It's hard to
predict all the possibilities here, but one model that seems generally useful
is to have a model where solr itself owns all the znodes and all actions that
require changing the znodes are routed to Solr APIs. That seems simple and
reasonable as a first version.
As for testing, I noticed while working on SOLR-6625 that we don't really
have any infrastructure for testing kerberos integration in unit tests.
Internally, I've been testing using kerberos-enabled VM clusters, but this
isn't great since we won't notice any breakages until someone actually spins
up a VM. So part of this JIRA is to provide some infrastructure for testing
kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-06-02 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14569870#comment-14569870
]

Mark Miller commented on SOLR-6915:
---

This apacheds-all jar seems troublesome - currently it has conflicting slf4j
classes in it...

bq. Jar conflicts between
/lucene-solr-trunk-1/solr/core/test-lib/apacheds-all-2.0.0-M15.jar and
/lucene-solr-trunk-1/solr/solrj/lib/slf4j-api-1.7.7.jar

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: Trunk, 5.1

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-06-02 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14569893#comment-14569893
]

Gregory Chanan commented on SOLR-6915:
--

bq. I believe it's possible to not use the apacheds-all jar; when I looked
previously it looked like it took ~20 dependencies, some on different versions,
and I couldn't find a link on the apacheds site about which versions were
compatible with which.. I'll file a jira to investigate.

SOLR-7628

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: Trunk, 5.1

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-06-02 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14569875#comment-14569875
]

Gregory Chanan commented on SOLR-6915:
--

bq. This apacheds-all jar seems troublesome - currently it has conflicting
slf4j classes in it...

I believe it's possible to not use the apacheds-all jar; when I looked
previously it looked like it took ~20 dependencies, some on different versions,
and I couldn't find a link on the apacheds site about which versions were
compatible with which.. I'll file a jira to investigate.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: Trunk, 5.1

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-02-05 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14308354#comment-14308354
]

Gregory Chanan commented on SOLR-6915:
--

[~elecharny] sorry for the late reply. I'm just starting up a Hadoop MiniKDC.
See the code here for more details:
https://github.com/apache/hadoop/blob/4641196fe02af5cab3d56a9f3c78875c495dbe03/hadoop-common-project/hadoop-minikdc/src/main/java/org/apache/hadoop/minikdc/MiniKdc.java#L322-L389

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: Trunk, 5.1

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-27 Thread Emmanuel Lecharny (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14293247#comment-14293247
]

Emmanuel Lecharny commented on SOLR-6915:
-

I would suggest you switch to ApacheDS M19. M15 is quite ancient, and depends
on LDAP API 1.0.0-M20, which is 9 version behind already.

Although the GenerilizedTimeSyntaxChecker has not changed for years... FTR, the
date 270126230030Z is perfectly valid, and I don't see how possibly it can
fail. Here is the code :

http://svn.apache.org/viewvc/directory/shared/trunk/ldap/model/src/main/java/org/apache/directory/api/ldap/model/schema/syntaxCheckers/GeneralizedTimeSyntaxChecker.java?revision=1002871view=markup

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-27 Thread Gregory Chanan (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294226#comment-14294226
 ] 

Gregory Chanan commented on SOLR-6915:
--

[~elecharny] thanks for the suggestion, I'll look into it but I may not be able 
to do anything because I'm relying on hadoop MiniKDC, so likely they would have 
to upgrade the dependency first.

About the date 270126230030Z I think you are right, that comment refers to an 
error coming from bouncycastle, not from apacheds.  I believe the errors coming 
from apacheds are only the two locales:
th_TH_TH_#u-nu-thai
hi_IN

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-27 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294369#comment-14294369
 ] 

ASF subversion and git services commented on SOLR-6915:
---

Commit 1655188 from gcha...@apache.org in branch 'dev/branches/branch_5x'
[ https://svn.apache.org/r1655188 ]

SOLR-6915: Avoid broken Locales and skip IBM J9

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-27 Thread Emmanuel Lecharny (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294394#comment-14294394
 ] 

Emmanuel Lecharny commented on SOLR-6915:
-

Can you bit a bit more explicit about what you are doing that breaks in 
ApacheDS when using the Thai locale ?

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: Trunk, 5.1

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-27 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294367#comment-14294367
 ] 

ASF subversion and git services commented on SOLR-6915:
---

Commit 1655187 from gcha...@apache.org in branch 'dev/trunk'
[ https://svn.apache.org/r1655187 ]

SOLR-6915: Avoid broken Locales and skip IBM J9

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-26 Thread Gregory Chanan (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14292428#comment-14292428
 ] 

Gregory Chanan commented on SOLR-6915:
--

These locales fail for me locally on java8:
 th_TH_TH_#u-nu-thai
ja_JP_JP_#u-ca-japanese
hi_IN

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-26 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14292842#comment-14292842
]

Gregory Chanan commented on SOLR-6915:
--

Filed DIRAPI-219 for the ldap-api issues.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-26 Thread Gregory Chanan (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14292616#comment-14292616
 ] 

Gregory Chanan commented on SOLR-6915:
--

 th_TH_TH_#u-nu-thai and  hi_IN seem to be issues with apacheds-ldap-api, they 
have the backtrace that Shalin posted above.

 ja_JP_JP_#u-ca-japanese seems to be a bouncycastle issue; the exception is 
here:
{code}
209475 T11 oasc.SaslZkACLProviderTest.setUp Exception:invalid date string: 
Unparseable date: 270126230030Z java.lang.IllegalArgumentException: invalid 
date string: Unparseable date: 270126230030Z
   [junit4]   2at 
org.bouncycastle.asn1.DERGeneralizedTime.init(Unknown Source)
   [junit4]   2at org.bouncycastle.asn1.x509.Time.init(Unknown 
Source)
   [junit4]   2at 
org.bouncycastle.x509.X509V1CertificateGenerator.setNotBefore(Unknown Source)
   [junit4]   2at 
org.apache.directory.server.core.security.TlsKeyGenerator.addKeyPair(TlsKeyGenerator.java:277)
   [junit4]   2at 
org.apache.directory.server.core.DefaultDirectoryService.createBootstrapEntries(DefaultDirectoryService.java:1483)
   [junit4]   2at 
org.apache.directory.server.core.DefaultDirectoryService.initialize(DefaultDirectoryService.java:1828)
   [junit4]   2at 
org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:1248)
   [junit4]   2at 
org.apache.hadoop.minikdc.MiniKdc.initDirectoryService(MiniKdc.java:375)
   [junit4]   2at 
org.apache.hadoop.minikdc.MiniKdc.start(MiniKdc.java:310)
{code}

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
 tests-failures.txt


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-22 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14288718#comment-14288718
]

Gregory Chanan commented on SOLR-6915:
--

Thanks Shalin, I was able to reproduce.

It looks like Apache Directory Server (which Hadoop MiniKDC is built on top of)
isn't handling that Locale correctly. I still need to do some more
investigation, and I'll check if there are other locales that are a problem as
well.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log,
tests-failures.txt

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-14 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14277602#comment-14277602
]

Gregory Chanan commented on SOLR-6915:
--

Thanks Mark, I'll take a look at that as well.

I investigated the IBM jvm issue a bit; it looks like the JAAS format required
is different; i.e. useKeyTab (true) vs useKeytab (file://path/to/keytab). I
seem to have gotten past that issue but the test is still failing for me on an
IBM jvm.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-14 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14277695#comment-14277695
]

Mark Miller commented on SOLR-6915:
---

Cool - I wouldn't worry too much more about it. There is some assume you can
use to skip the test on IBM jvms - I believe there are some tests that already
do this.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275547#comment-14275547
]

Mark Miller commented on SOLR-6915:
---

bq. have you seen it at all on trunk yet?

I have not yet, but I've only looked at one or two of the fails from the
jenkins cluster.

On my local jenkins it has failed 5 out of 5 on 5x and passed about the same on
trunk. On my dev box (same env as jenkins box) 5x tests seem to run fine.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275378#comment-14275378
]

Mark Miller commented on SOLR-6915:
---

On my jenkins machine, I'm seeing it pretty consistently on 5x but not at all
on trunk.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275453#comment-14275453
]

Mark Miller commented on SOLR-6915:
---

Yeah, I don't see all that logging in a clean local run. It looks like we may
have to add that permission as an exception as well? But why isn't that a
consistent issue?

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275511#comment-14275511
]

Gregory Chanan commented on SOLR-6915:
--

Interesting -- have you seen it at all on trunk yet? We should probably just
add it for now and I'll investigate in the background.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread ASF subversion and git services (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275541#comment-14275541
]

ASF subversion and git services commented on SOLR-6915:
---

Commit 1651409 from [~markrmil...@gmail.com] in branch 'dev/branches/branch_5x'
[ https://svn.apache.org/r1651409 ]

SOLR-6915: Add javax.security.auth.kerberos.KeyTab read permissions.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread ASF subversion and git services (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275539#comment-14275539
]

ASF subversion and git services commented on SOLR-6915:
---

Commit 1651407 from [~markrmil...@gmail.com] in branch 'dev/trunk'
[ https://svn.apache.org/r1651407 ]

SOLR-6915: Add javax.security.auth.kerberos.KeyTab read permissions.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275975#comment-14275975
]

Gregory Chanan commented on SOLR-6915:
--

That last addition makes me nervous -- do we test on other jvms? For example,
see this code in hadoop:
https://github.com/apache/hadoop/blob/5fdcc3f360552a21eb1402a6253d32f012956959/src/core/org/apache/hadoop/security/SecurityUtil.java#L152-L159

which suggests we need a different class for ibm jvms. I noticed this code is
gone in later hadoop versions, so maybe there is a better way.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275980#comment-14275980
]

Mark Miller commented on SOLR-6915:
---

I'm not too concerned about that in the short term - I'm just going to add
perms until it's passing and we can figure out what is actually happening.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Mark Miller (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275890#comment-14275890
 ] 

Mark Miller commented on SOLR-6915:
---

A bit of whack a mole I guess - now this one pops up: access denied 
(javax.security.auth.PrivateCredentialPermission 
sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab read)

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread ASF subversion and git services (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275927#comment-14275927
]

ASF subversion and git services commented on SOLR-6915:
---

Commit 1651487 from [~markrmil...@gmail.com] in branch 'dev/trunk'
[ https://svn.apache.org/r1651487 ]

SOLR-6915: Add KeysFromKeyTab read permissions.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread ASF subversion and git services (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275931#comment-14275931
]

ASF subversion and git services commented on SOLR-6915:
---

Commit 1651488 from [~markrmil...@gmail.com] in branch 'dev/branches/branch_5x'
[ https://svn.apache.org/r1651488 ]

SOLR-6915: Add KeysFromKeyTab read permissions.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Mark Miller (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275991#comment-14275991
 ] 

Mark Miller commented on SOLR-6915:
---

Okay, the test now passes on 5x on my jenkins box:

{noformat}
   [junit4] Suite: org.apache.solr.cloud.SaslZkACLProviderTest
   [junit4] Completed on J0 in 24.26s, 1 test
{noformat}


 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Fix For: 5.0, Trunk

 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-13 Thread Gregory Chanan (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14276210#comment-14276210
]

Gregory Chanan commented on SOLR-6915:
--

Thanks Mark!

I was able to reproduce with failures on my local machine on jdk7, so it
appears to be a jdk7 vs jdk8 issue. Your patches fixed the issue for me as
well. This java bug seems at least related to what we are seeing:
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8004488 (explains Krb5Util
I think, not sure about the KeyTab permission).

I also tried an ibm jdk, given my above comment and it failed before getting to
the permission checks. It seems like the JAAS configuration needs to be a bit
different on an IBM jdk. I'll investigate and report back.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Fix For: 5.0, Trunk

Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-12 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14274605#comment-14274605
 ] 

ASF subversion and git services commented on SOLR-6915:
---

Commit 1651266 from gcha...@apache.org in branch 'dev/branches/branch_5x'
[ https://svn.apache.org/r1651266 ]

SOLR-6915: SaslZkACLProvider and Kerberos Test Using MiniKdc

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Attachments: SOLR-6915.patch, SOLR-6915.patch


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-12 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14274590#comment-14274590
 ] 

ASF subversion and git services commented on SOLR-6915:
---

Commit 1651264 from gcha...@apache.org in branch 'dev/trunk'
[ https://svn.apache.org/r1651264 ]

SOLR-6915: SaslZkACLProvider and Kerberos Test Using MiniKdc

 SaslZkACLProvider and Kerberos Test Using MiniKdc
 -

 Key: SOLR-6915
 URL: https://issues.apache.org/jira/browse/SOLR-6915
 Project: Solr
  Issue Type: Improvement
  Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
 Attachments: SOLR-6915.patch, SOLR-6915.patch


 We should provide a ZkACLProvider that requires SASL authentication.  This 
 provider will be useful for administration in a kerberos environment.   In 
 such an environment, the administrator wants solr to authenticate to 
 zookeeper using SASL, since this is only way to authenticate with zookeeper 
 via kerberos.
 The authorization model in such a setup can vary, e.g. you can imagine a 
 scenario where solr owns (is the only writer of) the non-config znodes, but 
 some set of trusted users are allowed to modify the configs.  It's hard to 
 predict all the possibilities here, but one model that seems generally useful 
 is to have a model where solr itself owns all the znodes and all actions that 
 require changing the znodes are routed to Solr APIs.  That seems simple and 
 reasonable as a first version.
 As for testing, I noticed while working on SOLR-6625 that we don't really 
 have any infrastructure for testing kerberos integration in unit tests.  
 Internally, I've been testing using kerberos-enabled VM clusters, but this 
 isn't great since we won't notice any breakages until someone actually spins 
 up a VM.  So part of this JIRA is to provide some infrastructure for testing 
 kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

2015-01-11 Thread Mark Miller (JIRA)

[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14273038#comment-14273038
]

Mark Miller commented on SOLR-6915:
---

+1, looks great.

Comments:

Might be worth calling out the hadoop version update in it's own issue.

Remember to make sure those new sha files go up with eol-syle:native properties
for precommit.

SaslZkACLProvider and Kerberos Test Using MiniKdc
-

Key: SOLR-6915
URL: https://issues.apache.org/jira/browse/SOLR-6915
Project: Solr
Issue Type: Improvement
Components: SolrCloud
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Attachments: SOLR-6915.patch

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

41 matches

Mail list logo