[jira] [Commented] (IMPALA-6085) Make the setup and teardown of the security code idempotent
[
https://issues.apache.org/jira/browse/IMPALA-6085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16810084#comment-16810084
]
ASF subversion and git services commented on IMPALA-6085:
-
Commit b97e0cd555a53057a82dc9c0ad9e0cfe58f3ec66 in impala's branch
refs/heads/2.x from Sailesh Mukil
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b97e0cd ]
IMPALA-5129: Use Kudu's Kinit code to avoid expensive fork
NOTE: This commit is part of a set of changes for IMPALA-7006. It
contains pieces of a previous commit that need to be cherry picked
again after rebasing the code in be/src/kudu/{util,security,rpc}.
The original commit message is below:
Impala currently kinits by forking off a child process. This
has proved to be expensive in many cases since the subprocess
tries to reserve as much memory as Impala is currently using
which can be quite a lot.
This patch adds a flag called 'use_kudu_kinit' that defaults to
true. When it's true, it uses the Kudu security library's kinit code
that programatically uses the krb5 library to kinit.
When it's false, we run our current path which kicks off the
kinit-thread and forks off a kinit process periodically to reacquire
tickets based on FLAGS_kerberos_reinit_interval.
Converted existing tests in thrift-server-test to run with and
without kerberos. We now run this BE test with kerberos by using
Kudu's MiniKdc utility. This introduces a new dependency on some
kerberos binaries that are checked through FindKerberosPrograms.cmake.
Note that this is only a test dependency and not a dependency for
the impalad binaries and friends. Compilation will still succeed if
the kerberos binaries for the MiniKdc are not found, however, the
thrift-server-test will fail. We run with and without the
'use_kudu_kinit' flag.
TODO: Since the setting up and tearing down of our security code
isn't idempotent, we can run only any one test in a process with
Kerberos now (IMPALA-6085).
Updated bin/bootstrap_system.sh to install new sasl-gssapi
modules and the kerberos binaries required for the MiniKdc.
Also fixed a bug that didn't transfer the environment into 'sudo'
in bin/bootstrap_system.sh.
Testing: Verified with thrift-server-test and also manually on a
live kerberized cluster.
Change-Id: Ie3c6e933c454e7adca69ef03e7d5c0c84b656895
Reviewed-on: http://gerrit.cloudera.org:8080/7938
Reviewed-by: Sailesh Mukil
Tested-by: Impala Public Jenkins
Reviewed-on: http://gerrit.cloudera.org:8080/10763
Reviewed-by: Lars Volker
Tested-by: Lars Volker
> Make the setup and teardown of the security code idempotent
> ---
>
> Key: IMPALA-6085
> URL: https://issues.apache.org/jira/browse/IMPALA-6085
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
>Affects Versions: Impala 2.10.0
>Reporter: Sailesh Mukil
>Priority: Major
> Labels: infrastructure, security, test
>
> Our security code assumes that it will only be called once in the lifetime of
> a process. This is true, however, for tests, we would like to set it up and
> tear it down multiple times to issue it different configurations and test it
> within the same backend test process.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-6085) Make the setup and teardown of the security code idempotent
[
https://issues.apache.org/jira/browse/IMPALA-6085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16542567#comment-16542567
]
ASF subversion and git services commented on IMPALA-6085:
-
Commit bee01825e23fc097c1d8ff58f68afb5141ea57db in impala's branch
refs/heads/master from [~sailesh]
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=bee0182 ]
IMPALA-5129: Use Kudu's Kinit code to avoid expensive fork
NOTE: This commit is part of a set of changes for IMPALA-7006. It
contains pieces of a previous commit that need to be cherry picked
again after rebasing the code in be/src/kudu/{util,security,rpc}.
The original commit message is below:
Impala currently kinits by forking off a child process. This
has proved to be expensive in many cases since the subprocess
tries to reserve as much memory as Impala is currently using
which can be quite a lot.
This patch adds a flag called 'use_kudu_kinit' that defaults to
true. When it's true, it uses the Kudu security library's kinit code
that programatically uses the krb5 library to kinit.
When it's false, we run our current path which kicks off the
kinit-thread and forks off a kinit process periodically to reacquire
tickets based on FLAGS_kerberos_reinit_interval.
Converted existing tests in thrift-server-test to run with and
without kerberos. We now run this BE test with kerberos by using
Kudu's MiniKdc utility. This introduces a new dependency on some
kerberos binaries that are checked through FindKerberosPrograms.cmake.
Note that this is only a test dependency and not a dependency for
the impalad binaries and friends. Compilation will still succeed if
the kerberos binaries for the MiniKdc are not found, however, the
thrift-server-test will fail. We run with and without the
'use_kudu_kinit' flag.
TODO: Since the setting up and tearing down of our security code
isn't idempotent, we can run only any one test in a process with
Kerberos now (IMPALA-6085).
Updated bin/bootstrap_system.sh to install new sasl-gssapi
modules and the kerberos binaries required for the MiniKdc.
Also fixed a bug that didn't transfer the environment into 'sudo'
in bin/bootstrap_system.sh.
Testing: Verified with thrift-server-test and also manually on a
live kerberized cluster.
Change-Id: Ie3c6e933c454e7adca69ef03e7d5c0c84b656895
Reviewed-on: http://gerrit.cloudera.org:8080/7938
Reviewed-by: Sailesh Mukil
Tested-by: Impala Public Jenkins
Reviewed-on: http://gerrit.cloudera.org:8080/10763
Reviewed-by: Lars Volker
Tested-by: Lars Volker
> Make the setup and teardown of the security code idempotent
> ---
>
> Key: IMPALA-6085
> URL: https://issues.apache.org/jira/browse/IMPALA-6085
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
>Affects Versions: Impala 2.10.0
>Reporter: Sailesh Mukil
>Priority: Major
> Labels: infrastructure, security, test
>
> Our security code assumes that it will only be called once in the lifetime of
> a process. This is true, however, for tests, we would like to set it up and
> tear it down multiple times to issue it different configurations and test it
> within the same backend test process.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-6085) Make the setup and teardown of the security code idempotent
[
https://issues.apache.org/jira/browse/IMPALA-6085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16519822#comment-16519822
]
Sailesh Mukil commented on IMPALA-6085:
---
Interesting test cases this could enable:
* Add case to rpc-mgr-kerberized-test that use different configurations of
kerberos, such running with auth_to_local_rules.
* Add cases that run a matrix of tests such as {Kerberos enabled, SSL enabled}
(we run only this today), {Kerberos enabled, SSL disabled}, {Kerberos disabled,
SSL enabled}.
Will add more as I think of them
> Make the setup and teardown of the security code idempotent
> ---
>
> Key: IMPALA-6085
> URL: https://issues.apache.org/jira/browse/IMPALA-6085
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
>Affects Versions: Impala 2.10.0
>Reporter: Sailesh Mukil
>Priority: Major
> Labels: infrastructure, security, test
>
> Our security code assumes that it will only be called once in the lifetime of
> a process. This is true, however, for tests, we would like to set it up and
> tear it down multiple times to issue it different configurations and test it
> within the same backend test process.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
