[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys
[ https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15137630#comment-15137630 ] Josh Elser commented on ACCUMULO-4135: -- I should mention that I noticed some more areas that had test coverage for this code over the weekend. https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=c85e04f has those improvements. > Change Kerberos impersonation configuration keys > > > Key: ACCUMULO-4135 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4135 > Project: Accumulo > Issue Type: Bug > Components: core >Affects Versions: 1.7.0 >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Blocker > Fix For: 1.7.1, 1.8.0 > > Time Spent: 40m > Remaining Estimate: 0h > > For the user impersonation support with Kerberos, we need to be able to > represent the following: > For userA, what other users may userA "act" as and from what host(s) may > userA do this from. > This was represented as the following in accumulo-site.xml: > * {{.userA.users}}=user1,user2,user3... > * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3... > Because we're dealing with Kerberos, "userA" is actually something like > "primary/instance@REALM". > I've recently found out that Ambari doesn't like this and apparently it would > be prohibitively difficult to change it there (urlencode, what?). I'll add > some new configuration properties here that change the structure so that > there are options for users to configure this through all deployment > mechanisms. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys
[ https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15136024#comment-15136024 ] ASF GitHub Bot commented on ACCUMULO-4135: -- Github user asfgit closed the pull request at: https://github.com/apache/accumulo/pull/67 > Change Kerberos impersonation configuration keys > > > Key: ACCUMULO-4135 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4135 > Project: Accumulo > Issue Type: Bug > Components: core >Affects Versions: 1.7.0 >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Blocker > Fix For: 1.7.1, 1.8.0 > > Time Spent: 20m > Remaining Estimate: 0h > > For the user impersonation support with Kerberos, we need to be able to > represent the following: > For userA, what other users may userA "act" as and from what host(s) may > userA do this from. > This was represented as the following in accumulo-site.xml: > * {{.userA.users}}=user1,user2,user3... > * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3... > Because we're dealing with Kerberos, "userA" is actually something like > "primary/instance@REALM". > I've recently found out that Ambari doesn't like this and apparently it would > be prohibitively difficult to change it there (urlencode, what?). I'll add > some new configuration properties here that change the structure so that > there are options for users to configure this through all deployment > mechanisms. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys
[ https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135953#comment-15135953 ] ASF GitHub Bot commented on ACCUMULO-4135: -- Github user joshelser commented on the pull request: https://github.com/apache/accumulo/pull/67#issuecomment-180840226 > Do you think you should go ahead and make the old version deprecated Actually, yes. I was originally thinking that it would be in bad taste to deprecate the old properties in 1.7, but that's silly. I'll add that too. Thanks for taking a look, @ctubbsii! > Change Kerberos impersonation configuration keys > > > Key: ACCUMULO-4135 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4135 > Project: Accumulo > Issue Type: Bug > Components: core >Affects Versions: 1.7.0 >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Blocker > Fix For: 1.7.1, 1.8.0 > > > For the user impersonation support with Kerberos, we need to be able to > represent the following: > For userA, what other users may userA "act" as and from what host(s) may > userA do this from. > This was represented as the following in accumulo-site.xml: > * {{.userA.users}}=user1,user2,user3... > * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3... > Because we're dealing with Kerberos, "userA" is actually something like > "primary/instance@REALM". > I've recently found out that Ambari doesn't like this and apparently it would > be prohibitively difficult to change it there (urlencode, what?). I'll add > some new configuration properties here that change the structure so that > there are options for users to configure this through all deployment > mechanisms. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys
[ https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135645#comment-15135645 ] ASF GitHub Bot commented on ACCUMULO-4135: -- Github user joshelser commented on the pull request: https://github.com/apache/accumulo/pull/67#issuecomment-180708585 This is what I was thinking about. Old tests appear to pass, as do the new variants. I need to update the user manual, though, to reflect the new configuration means. Old properties are still there too (for backwards compat), but, moving forward, we should try to have people use these new properties. > Change Kerberos impersonation configuration keys > > > Key: ACCUMULO-4135 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4135 > Project: Accumulo > Issue Type: Bug > Components: core >Affects Versions: 1.7.0 >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Blocker > Fix For: 1.7.1, 1.8.0 > > > For the user impersonation support with Kerberos, we need to be able to > represent the following: > For userA, what other users may userA "act" as and from what host(s) may > userA do this from. > This was represented as the following in accumulo-site.xml: > * {{.userA.users}}=user1,user2,user3... > * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3... > Because we're dealing with Kerberos, "userA" is actually something like > "primary/instance@REALM". > I've recently found out that Ambari doesn't like this and apparently it would > be prohibitively difficult to change it there (urlencode, what?). I'll add > some new configuration properties here that change the structure so that > there are options for users to configure this through all deployment > mechanisms. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys
[ https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135644#comment-15135644 ] ASF GitHub Bot commented on ACCUMULO-4135: -- GitHub user joshelser opened a pull request: https://github.com/apache/accumulo/pull/67 ACCUMULO-4135 Add impersonation configuration keys which don't put th… …e principal in the key. Apparently, Ambari has a very hard time handling configuration keys that have '/' characters in them. As such, this breaks the impersonation config keys, as they will near always have a '/' in them (e.g. primary/instance@REALM). This is sad. This commit introduces an alternate strategy for specifying the same configuration items but only using the values. You can merge this pull request into a Git repository by running: $ git pull https://github.com/joshelser/accumulo ACCUMULO-4135-impersonation-config Alternatively you can review and apply these changes as the patch at: https://github.com/apache/accumulo/pull/67.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #67 commit c43bf64e87d9e095f0a1a2edb55439d806fd96f8 Author: Josh ElserDate: 2016-02-06T06:57:54Z ACCUMULO-4135 Add impersonation configuration keys which don't put the principal in the key. Apparently, Ambari has a very hard time handling configuration keys that have '/' characters in them. As such, this breaks the impersonation config keys, as they will near always have a '/' in them (e.g. primary/instance@REALM). This is sad. This commit introduces an alternate strategy for specifying the same configuration items but only using the values. > Change Kerberos impersonation configuration keys > > > Key: ACCUMULO-4135 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4135 > Project: Accumulo > Issue Type: Bug > Components: core >Affects Versions: 1.7.0 >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Blocker > Fix For: 1.7.1, 1.8.0 > > > For the user impersonation support with Kerberos, we need to be able to > represent the following: > For userA, what other users may userA "act" as and from what host(s) may > userA do this from. > This was represented as the following in accumulo-site.xml: > * {{.userA.users}}=user1,user2,user3... > * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3... > Because we're dealing with Kerberos, "userA" is actually something like > "primary/instance@REALM". > I've recently found out that Ambari doesn't like this and apparently it would > be prohibitively difficult to change it there (urlencode, what?). I'll add > some new configuration properties here that change the structure so that > there are options for users to configure this through all deployment > mechanisms. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4135) Change Kerberos impersonation configuration keys
[ https://issues.apache.org/jira/browse/ACCUMULO-4135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135669#comment-15135669 ] ASF GitHub Bot commented on ACCUMULO-4135: -- Github user ctubbsii commented on the pull request: https://github.com/apache/accumulo/pull/67#issuecomment-180716575 Just looking at the documentation change, it does seem to me that separating into two configuration options and avoiding the prefix matching to grab configs is a bit more intuitive, and I'm also in favor of moving the special characters out of configuration keys, even if it's a simple special character like '/'. I usually prefer my configuration keys to look like variable identifiers (though, dot-separated is okay). I haven't looked at the implementation, but the test coverage looks good. Do you think you should go ahead and make the old version deprecated, for eventual removal, since the old way is kind of flawed and we don't really want to have to maintain multiple ways to configure the same thing? > Change Kerberos impersonation configuration keys > > > Key: ACCUMULO-4135 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4135 > Project: Accumulo > Issue Type: Bug > Components: core >Affects Versions: 1.7.0 >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Blocker > Fix For: 1.7.1, 1.8.0 > > > For the user impersonation support with Kerberos, we need to be able to > represent the following: > For userA, what other users may userA "act" as and from what host(s) may > userA do this from. > This was represented as the following in accumulo-site.xml: > * {{.userA.users}}=user1,user2,user3... > * {{.userA.hosts}}=fqdn1,fqdn2,fqdn3... > Because we're dealing with Kerberos, "userA" is actually something like > "primary/instance@REALM". > I've recently found out that Ambari doesn't like this and apparently it would > be prohibitively difficult to change it there (urlencode, what?). I'll add > some new configuration properties here that change the structure so that > there are options for users to configure this through all deployment > mechanisms. -- This message was sent by Atlassian JIRA (v6.3.4#6332)