[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Miller reopened SOLR-6915:
-------------------------------
I'm seeing a lot of failures of SsaslZkACLProviderTest - it's pretty consistent
on my jenkins machine and I've seen it in the jenkins cluster emails.
We are getting connection loss in this setup call easily for some reason - and
it should be retrying on connection loss so I am not sure what is up yet.
{noformat}
org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode =
ConnectionLoss for /solr
at
__randomizedtesting.SeedInfo.seed([75A11210F50D7764:715544C86C49D46A]:0)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.exists(ZooKeeper.java:1045)
at
org.apache.solr.common.cloud.SolrZkClient$4.execute(SolrZkClient.java:293)
at
org.apache.solr.common.cloud.SolrZkClient$4.execute(SolrZkClient.java:290)
at
org.apache.solr.common.cloud.ZkCmdExecutor.retryOperation(ZkCmdExecutor.java:61)
at
org.apache.solr.common.cloud.SolrZkClient.exists(SolrZkClient.java:290)
at
org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:485)
at
org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:402)
at
org.apache.solr.cloud.SaslZkACLProviderTest.setUp(SaslZkACLProviderTest.java:80)
{noformat}
> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -------------------------------------------------
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
> Issue Type: Improvement
> Components: SolrCloud
> Reporter: Gregory Chanan
> Assignee: Gregory Chanan
> Fix For: 5.0, Trunk
>
> Attachments: SOLR-6915.patch, SOLR-6915.patch
>
>
> We should provide a ZkACLProvider that requires SASL authentication. This
> provider will be useful for administration in a kerberos environment. In
> such an environment, the administrator wants solr to authenticate to
> zookeeper using SASL, since this is only way to authenticate with zookeeper
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a
> scenario where solr owns (is the only writer of) the non-config znodes, but
> some set of trusted users are allowed to modify the configs. It's hard to
> predict all the possibilities here, but one model that seems generally useful
> is to have a model where solr itself owns all the znodes and all actions that
> require changing the znodes are routed to Solr APIs. That seems simple and
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really
> have any infrastructure for testing kerberos integration in unit tests.
> Internally, I've been testing using kerberos-enabled VM clusters, but this
> isn't great since we won't notice any breakages until someone actually spins
> up a VM. So part of this JIRA is to provide some infrastructure for testing
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
