[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037521#comment-15037521 ] Ishan Chattopadhyaya commented on SOLR-6915: Maybe we should move this discussion to SOLR-7183, where I added a way to black list the known bad locales in the util class? > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037534#comment-15037534 ] Ishan Chattopadhyaya commented on SOLR-6915: bq. best solution is to fix MiniKDC +1, but seems like longer term. > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037375#comment-15037375 ] Mark Miller commented on SOLR-6915: --- Another option is just hard coding to one working locale for now right? > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15037096#comment-15037096 ] Gregory Chanan commented on SOLR-6915: -- Ok, ran the test through all the locales on my install of java 9. Here's what failed: ar_JO dz_BT ar_SA fa_AF ar_TD ar_EG ne_IN ar_SD ar_KM fa_IR fa ne my ar_IL ar_SY ar_PS ur_IN ar_YE ps uz_UZ_#Cyrl mr_IN uz ar_OM uz_UZ_#Latn bn bn_BD ps_AF mr dz bn_IN ks__#Arab ar_SS ar_ER th_TH_TH_#u-nu-thai ar_SO uz__#Arab ar_AE as my_MM ar_BH ja_JP_JP_#u-ca-japanese uz__#Cyrl ne_NP uz_AF_#Arab ks as_IN ar_IQ ar_QA ar uz__#Latn ks_IN_#Arab ar_001 ar_KW ar_DJ > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15032710#comment-15032710 ] Gregory Chanan commented on SOLR-6915: -- bq. This is still failing fairly frequently on Jenkins runs, particularly on Java 9 (eg http://jenkins.thetaphi.de/job/Lucene-Solr-5.x-Linux/14737/). Maybe the thing to do is to wrap the MiniKDC startup method in an assumeTrue(), if we know there are certain locales that break this? I think that's more or less what was done in SOLR-7183. I think the issue is that just maintains a list of known bad locales instead of running checks on the locales to programatically figure out what was wrong. And there are new locales in JDK9. So easiest thing to do is add more to the list, medium solution is to runs checks on the locale, best solution is to fix MiniKDC. Just a note: http://jenkins.thetaphi.de/job/Lucene-Solr-5.x-Linux/14789/ fails with ar_TD > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15026468#comment-15026468 ] Alan Woodward commented on SOLR-6915: - This is still failing fairly frequently on Jenkins runs, particularly on Java 9 (eg http://jenkins.thetaphi.de/job/Lucene-Solr-5.x-Linux/14737/). Maybe the thing to do is to wrap the MiniKDC startup method in an assumeTrue(), if we know there are certain locales that break this? > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14908365#comment-14908365 ] Gregory Chanan commented on SOLR-6915: -- Great. I seem to recall that the latest releases weren't compatible with whatever MiniKDC was expecting, so we may need Hadoop MiniKDC to adopt and release those changes first. > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14908023#comment-14908023 ] Uwe Schindler commented on SOLR-6915: - DIRAPI-219 is now solved. Looks like a bugfix release was done. > SaslZkACLProvider and Kerberos Test Using MiniKdc > - > > Key: SOLR-6915 > URL: https://issues.apache.org/jira/browse/SOLR-6915 > Project: Solr > Issue Type: Improvement > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Fix For: 5.1, Trunk > > Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, > tests-failures.txt > > > We should provide a ZkACLProvider that requires SASL authentication. This > provider will be useful for administration in a kerberos environment. In > such an environment, the administrator wants solr to authenticate to > zookeeper using SASL, since this is only way to authenticate with zookeeper > via kerberos. > The authorization model in such a setup can vary, e.g. you can imagine a > scenario where solr owns (is the only writer of) the non-config znodes, but > some set of trusted users are allowed to modify the configs. It's hard to > predict all the possibilities here, but one model that seems generally useful > is to have a model where solr itself owns all the znodes and all actions that > require changing the znodes are routed to Solr APIs. That seems simple and > reasonable as a first version. > As for testing, I noticed while working on SOLR-6625 that we don't really > have any infrastructure for testing kerberos integration in unit tests. > Internally, I've been testing using kerberos-enabled VM clusters, but this > isn't great since we won't notice any breakages until someone actually spins > up a VM. So part of this JIRA is to provide some infrastructure for testing > kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708211#comment-14708211 ] Uwe Schindler commented on SOLR-6915: - This happened again last night with locale {{uz_UZ_#Cyrl}} We should maybe fix the test's locale SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.1, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708234#comment-14708234 ] Uwe Schindler commented on SOLR-6915: - It can fail because it uses {{Calendar.getDefault()}}, hwich is the main issue with this code. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.1, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14569870#comment-14569870 ] Mark Miller commented on SOLR-6915: --- This apacheds-all jar seems troublesome - currently it has conflicting slf4j classes in it... bq. Jar conflicts between /lucene-solr-trunk-1/solr/core/test-lib/apacheds-all-2.0.0-M15.jar and /lucene-solr-trunk-1/solr/solrj/lib/slf4j-api-1.7.7.jar SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: Trunk, 5.1 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14569893#comment-14569893 ] Gregory Chanan commented on SOLR-6915: -- bq. I believe it's possible to not use the apacheds-all jar; when I looked previously it looked like it took ~20 dependencies, some on different versions, and I couldn't find a link on the apacheds site about which versions were compatible with which.. I'll file a jira to investigate. SOLR-7628 SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: Trunk, 5.1 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14569875#comment-14569875 ] Gregory Chanan commented on SOLR-6915: -- bq. This apacheds-all jar seems troublesome - currently it has conflicting slf4j classes in it... I believe it's possible to not use the apacheds-all jar; when I looked previously it looked like it took ~20 dependencies, some on different versions, and I couldn't find a link on the apacheds site about which versions were compatible with which.. I'll file a jira to investigate. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: Trunk, 5.1 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14308354#comment-14308354 ] Gregory Chanan commented on SOLR-6915: -- [~elecharny] sorry for the late reply. I'm just starting up a Hadoop MiniKDC. See the code here for more details: https://github.com/apache/hadoop/blob/4641196fe02af5cab3d56a9f3c78875c495dbe03/hadoop-common-project/hadoop-minikdc/src/main/java/org/apache/hadoop/minikdc/MiniKdc.java#L322-L389 SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: Trunk, 5.1 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14293247#comment-14293247 ] Emmanuel Lecharny commented on SOLR-6915: - I would suggest you switch to ApacheDS M19. M15 is quite ancient, and depends on LDAP API 1.0.0-M20, which is 9 version behind already. Although the GenerilizedTimeSyntaxChecker has not changed for years... FTR, the date 270126230030Z is perfectly valid, and I don't see how possibly it can fail. Here is the code : http://svn.apache.org/viewvc/directory/shared/trunk/ldap/model/src/main/java/org/apache/directory/api/ldap/model/schema/syntaxCheckers/GeneralizedTimeSyntaxChecker.java?revision=1002871view=markup SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294226#comment-14294226 ] Gregory Chanan commented on SOLR-6915: -- [~elecharny] thanks for the suggestion, I'll look into it but I may not be able to do anything because I'm relying on hadoop MiniKDC, so likely they would have to upgrade the dependency first. About the date 270126230030Z I think you are right, that comment refers to an error coming from bouncycastle, not from apacheds. I believe the errors coming from apacheds are only the two locales: th_TH_TH_#u-nu-thai hi_IN SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294369#comment-14294369 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1655188 from gcha...@apache.org in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1655188 ] SOLR-6915: Avoid broken Locales and skip IBM J9 SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294394#comment-14294394 ] Emmanuel Lecharny commented on SOLR-6915: - Can you bit a bit more explicit about what you are doing that breaks in ApacheDS when using the Thai locale ? SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: Trunk, 5.1 Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14294367#comment-14294367 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1655187 from gcha...@apache.org in branch 'dev/trunk' [ https://svn.apache.org/r1655187 ] SOLR-6915: Avoid broken Locales and skip IBM J9 SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14292428#comment-14292428 ] Gregory Chanan commented on SOLR-6915: -- These locales fail for me locally on java8: th_TH_TH_#u-nu-thai ja_JP_JP_#u-ca-japanese hi_IN SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14292842#comment-14292842 ] Gregory Chanan commented on SOLR-6915: -- Filed DIRAPI-219 for the ldap-api issues. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14292616#comment-14292616 ] Gregory Chanan commented on SOLR-6915: -- th_TH_TH_#u-nu-thai and hi_IN seem to be issues with apacheds-ldap-api, they have the backtrace that Shalin posted above. ja_JP_JP_#u-ca-japanese seems to be a bouncycastle issue; the exception is here: {code} 209475 T11 oasc.SaslZkACLProviderTest.setUp Exception:invalid date string: Unparseable date: 270126230030Z java.lang.IllegalArgumentException: invalid date string: Unparseable date: 270126230030Z [junit4] 2at org.bouncycastle.asn1.DERGeneralizedTime.init(Unknown Source) [junit4] 2at org.bouncycastle.asn1.x509.Time.init(Unknown Source) [junit4] 2at org.bouncycastle.x509.X509V1CertificateGenerator.setNotBefore(Unknown Source) [junit4] 2at org.apache.directory.server.core.security.TlsKeyGenerator.addKeyPair(TlsKeyGenerator.java:277) [junit4] 2at org.apache.directory.server.core.DefaultDirectoryService.createBootstrapEntries(DefaultDirectoryService.java:1483) [junit4] 2at org.apache.directory.server.core.DefaultDirectoryService.initialize(DefaultDirectoryService.java:1828) [junit4] 2at org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:1248) [junit4] 2at org.apache.hadoop.minikdc.MiniKdc.initDirectoryService(MiniKdc.java:375) [junit4] 2at org.apache.hadoop.minikdc.MiniKdc.start(MiniKdc.java:310) {code} SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14288718#comment-14288718 ] Gregory Chanan commented on SOLR-6915: -- Thanks Shalin, I was able to reproduce. It looks like Apache Directory Server (which Hadoop MiniKDC is built on top of) isn't handling that Locale correctly. I still need to do some more investigation, and I'll check if there are other locales that are a problem as well. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, tests-failures.txt We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14277602#comment-14277602 ] Gregory Chanan commented on SOLR-6915: -- Thanks Mark, I'll take a look at that as well. I investigated the IBM jvm issue a bit; it looks like the JAAS format required is different; i.e. useKeyTab (true) vs useKeytab (file://path/to/keytab). I seem to have gotten past that issue but the test is still failing for me on an IBM jvm. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14277695#comment-14277695 ] Mark Miller commented on SOLR-6915: --- Cool - I wouldn't worry too much more about it. There is some assume you can use to skip the test on IBM jvms - I believe there are some tests that already do this. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275547#comment-14275547 ] Mark Miller commented on SOLR-6915: --- bq. have you seen it at all on trunk yet? I have not yet, but I've only looked at one or two of the fails from the jenkins cluster. On my local jenkins it has failed 5 out of 5 on 5x and passed about the same on trunk. On my dev box (same env as jenkins box) 5x tests seem to run fine. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275378#comment-14275378 ] Mark Miller commented on SOLR-6915: --- On my jenkins machine, I'm seeing it pretty consistently on 5x but not at all on trunk. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275453#comment-14275453 ] Mark Miller commented on SOLR-6915: --- Yeah, I don't see all that logging in a clean local run. It looks like we may have to add that permission as an exception as well? But why isn't that a consistent issue? SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275511#comment-14275511 ] Gregory Chanan commented on SOLR-6915: -- Interesting -- have you seen it at all on trunk yet? We should probably just add it for now and I'll investigate in the background. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275541#comment-14275541 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1651409 from [~markrmil...@gmail.com] in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1651409 ] SOLR-6915: Add javax.security.auth.kerberos.KeyTab read permissions. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275539#comment-14275539 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1651407 from [~markrmil...@gmail.com] in branch 'dev/trunk' [ https://svn.apache.org/r1651407 ] SOLR-6915: Add javax.security.auth.kerberos.KeyTab read permissions. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275975#comment-14275975 ] Gregory Chanan commented on SOLR-6915: -- That last addition makes me nervous -- do we test on other jvms? For example, see this code in hadoop: https://github.com/apache/hadoop/blob/5fdcc3f360552a21eb1402a6253d32f012956959/src/core/org/apache/hadoop/security/SecurityUtil.java#L152-L159 which suggests we need a different class for ibm jvms. I noticed this code is gone in later hadoop versions, so maybe there is a better way. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275980#comment-14275980 ] Mark Miller commented on SOLR-6915: --- I'm not too concerned about that in the short term - I'm just going to add perms until it's passing and we can figure out what is actually happening. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275890#comment-14275890 ] Mark Miller commented on SOLR-6915: --- A bit of whack a mole I guess - now this one pops up: access denied (javax.security.auth.PrivateCredentialPermission sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab read) SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275927#comment-14275927 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1651487 from [~markrmil...@gmail.com] in branch 'dev/trunk' [ https://svn.apache.org/r1651487 ] SOLR-6915: Add KeysFromKeyTab read permissions. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275931#comment-14275931 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1651488 from [~markrmil...@gmail.com] in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1651488 ] SOLR-6915: Add KeysFromKeyTab read permissions. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14275991#comment-14275991 ] Mark Miller commented on SOLR-6915: --- Okay, the test now passes on 5x on my jenkins box: {noformat} [junit4] Suite: org.apache.solr.cloud.SaslZkACLProviderTest [junit4] Completed on J0 in 24.26s, 1 test {noformat} SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14276210#comment-14276210 ] Gregory Chanan commented on SOLR-6915: -- Thanks Mark! I was able to reproduce with failures on my local machine on jdk7, so it appears to be a jdk7 vs jdk8 issue. Your patches fixed the issue for me as well. This java bug seems at least related to what we are seeing: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8004488 (explains Krb5Util I think, not sure about the KeyTab permission). I also tried an ibm jdk, given my above comment and it failed before getting to the permission checks. It seems like the JAAS configuration needs to be a bit different on an IBM jdk. I'll investigate and report back. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Fix For: 5.0, Trunk Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14274605#comment-14274605 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1651266 from gcha...@apache.org in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1651266 ] SOLR-6915: SaslZkACLProvider and Kerberos Test Using MiniKdc SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Attachments: SOLR-6915.patch, SOLR-6915.patch We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14274590#comment-14274590 ] ASF subversion and git services commented on SOLR-6915: --- Commit 1651264 from gcha...@apache.org in branch 'dev/trunk' [ https://svn.apache.org/r1651264 ] SOLR-6915: SaslZkACLProvider and Kerberos Test Using MiniKdc SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Attachments: SOLR-6915.patch, SOLR-6915.patch We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
[ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14273038#comment-14273038 ] Mark Miller commented on SOLR-6915: --- +1, looks great. Comments: Might be worth calling out the hadoop version update in it's own issue. Remember to make sure those new sha files go up with eol-syle:native properties for precommit. SaslZkACLProvider and Kerberos Test Using MiniKdc - Key: SOLR-6915 URL: https://issues.apache.org/jira/browse/SOLR-6915 Project: Solr Issue Type: Improvement Components: SolrCloud Reporter: Gregory Chanan Assignee: Gregory Chanan Attachments: SOLR-6915.patch We should provide a ZkACLProvider that requires SASL authentication. This provider will be useful for administration in a kerberos environment. In such an environment, the administrator wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate with zookeeper via kerberos. The authorization model in such a setup can vary, e.g. you can imagine a scenario where solr owns (is the only writer of) the non-config znodes, but some set of trusted users are allowed to modify the configs. It's hard to predict all the possibilities here, but one model that seems generally useful is to have a model where solr itself owns all the znodes and all actions that require changing the znodes are routed to Solr APIs. That seems simple and reasonable as a first version. As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure for testing kerberos integration in unit tests. Internally, I've been testing using kerberos-enabled VM clusters, but this isn't great since we won't notice any breakages until someone actually spins up a VM. So part of this JIRA is to provide some infrastructure for testing kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848). -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org