[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys

[Josh Elser (JIRA)]

[ 
https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15137630#comment-15137630
 ] 

Josh Elser commented on ACCUMULO-4135:
--

I should mention that I noticed some more areas that had test coverage for this 
code over the weekend. 
https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=c85e04f has those 
improvements.

> Change Kerberos impersonation configuration keys
> 
>
> Key: ACCUMULO-4135
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4135
> Project: Accumulo
>  Issue Type: Bug
>  Components: core
>Affects Versions: 1.7.0
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Blocker
> Fix For: 1.7.1, 1.8.0
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> For the user impersonation support with Kerberos, we need to be able to 
> represent the following:
> For userA, what other users may userA "act" as and from what host(s) may 
> userA do this from.
> This was represented as the following in accumulo-site.xml:
> * {{.userA.users}}=user1,user2,user3...
> * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3...
> Because we're dealing with Kerberos, "userA" is actually something like 
> "primary/instance@REALM".
> I've recently found out that Ambari doesn't like this and apparently it would 
> be prohibitively difficult to change it there (urlencode, what?). I'll add 
> some new configuration properties here that change the structure so that 
> there are options for users to configure this through all deployment 
> mechanisms.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15136024#comment-15136024
 ] 

ASF GitHub Bot commented on ACCUMULO-4135:
--

Github user asfgit closed the pull request at:

https://github.com/apache/accumulo/pull/67


> Change Kerberos impersonation configuration keys
> 
>
> Key: ACCUMULO-4135
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4135
> Project: Accumulo
>  Issue Type: Bug
>  Components: core
>Affects Versions: 1.7.0
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Blocker
> Fix For: 1.7.1, 1.8.0
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> For the user impersonation support with Kerberos, we need to be able to 
> represent the following:
> For userA, what other users may userA "act" as and from what host(s) may 
> userA do this from.
> This was represented as the following in accumulo-site.xml:
> * {{.userA.users}}=user1,user2,user3...
> * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3...
> Because we're dealing with Kerberos, "userA" is actually something like 
> "primary/instance@REALM".
> I've recently found out that Ambari doesn't like this and apparently it would 
> be prohibitively difficult to change it there (urlencode, what?). I'll add 
> some new configuration properties here that change the structure so that 
> there are options for users to configure this through all deployment 
> mechanisms.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135953#comment-15135953
 ] 

ASF GitHub Bot commented on ACCUMULO-4135:
--

Github user joshelser commented on the pull request:

https://github.com/apache/accumulo/pull/67#issuecomment-180840226
  
> Do you think you should go ahead and make the old version deprecated

Actually, yes. I was originally thinking that it would be in bad taste to 
deprecate the old properties in 1.7, but that's silly. I'll add that too.

Thanks for taking a look, @ctubbsii!


> Change Kerberos impersonation configuration keys
> 
>
> Key: ACCUMULO-4135
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4135
> Project: Accumulo
>  Issue Type: Bug
>  Components: core
>Affects Versions: 1.7.0
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Blocker
> Fix For: 1.7.1, 1.8.0
>
>
> For the user impersonation support with Kerberos, we need to be able to 
> represent the following:
> For userA, what other users may userA "act" as and from what host(s) may 
> userA do this from.
> This was represented as the following in accumulo-site.xml:
> * {{.userA.users}}=user1,user2,user3...
> * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3...
> Because we're dealing with Kerberos, "userA" is actually something like 
> "primary/instance@REALM".
> I've recently found out that Ambari doesn't like this and apparently it would 
> be prohibitively difficult to change it there (urlencode, what?). I'll add 
> some new configuration properties here that change the structure so that 
> there are options for users to configure this through all deployment 
> mechanisms.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135645#comment-15135645
 ] 

ASF GitHub Bot commented on ACCUMULO-4135:
--

Github user joshelser commented on the pull request:

https://github.com/apache/accumulo/pull/67#issuecomment-180708585
  
This is what I was thinking about. Old tests appear to pass, as do the new 
variants.

I need to update the user manual, though, to reflect the new configuration 
means. Old properties are still there too (for backwards compat), but, moving 
forward, we should try to have people use these new properties.


> Change Kerberos impersonation configuration keys
> 
>
> Key: ACCUMULO-4135
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4135
> Project: Accumulo
>  Issue Type: Bug
>  Components: core
>Affects Versions: 1.7.0
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Blocker
> Fix For: 1.7.1, 1.8.0
>
>
> For the user impersonation support with Kerberos, we need to be able to 
> represent the following:
> For userA, what other users may userA "act" as and from what host(s) may 
> userA do this from.
> This was represented as the following in accumulo-site.xml:
> * {{.userA.users}}=user1,user2,user3...
> * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3...
> Because we're dealing with Kerberos, "userA" is actually something like 
> "primary/instance@REALM".
> I've recently found out that Ambari doesn't like this and apparently it would 
> be prohibitively difficult to change it there (urlencode, what?). I'll add 
> some new configuration properties here that change the structure so that 
> there are options for users to configure this through all deployment 
> mechanisms.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135644#comment-15135644
 ] 

ASF GitHub Bot commented on ACCUMULO-4135:
--

GitHub user joshelser opened a pull request:

https://github.com/apache/accumulo/pull/67

ACCUMULO-4135 Add impersonation configuration keys which don't put th…

…e principal in the key.

Apparently, Ambari has a very hard time handling configuration keys that 
have '/'
characters in them. As such, this breaks the impersonation config keys, as 
they
will near always have a '/' in them (e.g. primary/instance@REALM). This is 
sad.

This commit introduces an alternate strategy for specifying the same 
configuration
items but only using the values.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/joshelser/accumulo 
ACCUMULO-4135-impersonation-config

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/accumulo/pull/67.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #67


commit c43bf64e87d9e095f0a1a2edb55439d806fd96f8
Author: Josh Elser 
Date:   2016-02-06T06:57:54Z

ACCUMULO-4135 Add impersonation configuration keys which don't put the 
principal in the key.

Apparently, Ambari has a very hard time handling configuration keys that 
have '/'
characters in them. As such, this breaks the impersonation config keys, as 
they
will near always have a '/' in them (e.g. primary/instance@REALM). This is 
sad.

This commit introduces an alternate strategy for specifying the same 
configuration
items but only using the values.




> Change Kerberos impersonation configuration keys
> 
>
> Key: ACCUMULO-4135
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4135
> Project: Accumulo
>  Issue Type: Bug
>  Components: core
>Affects Versions: 1.7.0
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Blocker
> Fix For: 1.7.1, 1.8.0
>
>
> For the user impersonation support with Kerberos, we need to be able to 
> represent the following:
> For userA, what other users may userA "act" as and from what host(s) may 
> userA do this from.
> This was represented as the following in accumulo-site.xml:
> * {{.userA.users}}=user1,user2,user3...
> * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3...
> Because we're dealing with Kerberos, "userA" is actually something like 
> "primary/instance@REALM".
> I've recently found out that Ambari doesn't like this and apparently it would 
> be prohibitively difficult to change it there (urlencode, what?). I'll add 
> some new configuration properties here that change the structure so that 
> there are options for users to configure this through all deployment 
> mechanisms.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135669#comment-15135669
 ] 

ASF GitHub Bot commented on ACCUMULO-4135:
--

Github user ctubbsii commented on the pull request:

https://github.com/apache/accumulo/pull/67#issuecomment-180716575
  
Just looking at the documentation change, it does seem to me that 
separating into two configuration options and avoiding the prefix matching to 
grab configs is a bit more intuitive, and I'm also in favor of moving the 
special characters out of configuration keys, even if it's a simple special 
character like '/'. I usually prefer my configuration keys to look like 
variable identifiers (though, dot-separated is okay). I haven't looked at the 
implementation, but the test coverage looks good.

Do you think you should go ahead and make the old version deprecated, for 
eventual removal, since the old way is kind of flawed and we don't really want 
to have to maintain multiple ways to configure the same thing?


> Change Kerberos impersonation configuration keys
> 
>
> Key: ACCUMULO-4135
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4135
> Project: Accumulo
>  Issue Type: Bug
>  Components: core
>Affects Versions: 1.7.0
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Blocker
> Fix For: 1.7.1, 1.8.0
>
>
> For the user impersonation support with Kerberos, we need to be able to 
> represent the following:
> For userA, what other users may userA "act" as and from what host(s) may 
> userA do this from.
> This was represented as the following in accumulo-site.xml:
> * {{.userA.users}}=user1,user2,user3...
> * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3...
> Because we're dealing with Kerberos, "userA" is actually something like 
> "primary/instance@REALM".
> I've recently found out that Ambari doesn't like this and apparently it would 
> be prohibitively difficult to change it there (urlencode, what?). I'll add 
> some new configuration properties here that change the structure so that 
> there are options for users to configure this through all deployment 
> mechanisms.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)