[jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc

Wed, 02 Dec 2015 18:24:22 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15037096#comment-15037096
 ] 

Gregory Chanan commented on SOLR-6915:
--------------------------------------

Ok, ran the test through all the locales on my install of java 9.  Here's what 
failed:
ar_JO
dz_BT
ar_SA
fa_AF
ar_TD
ar_EG
ne_IN
ar_SD
ar_KM
fa_IR
fa
ne
my
ar_IL
ar_SY
ar_PS
ur_IN
ar_YE
ps
uz_UZ_#Cyrl
mr_IN
uz
ar_OM
uz_UZ_#Latn
bn
bn_BD
ps_AF
mr
dz
bn_IN
ks__#Arab
ar_SS
ar_ER
th_TH_TH_#u-nu-thai
ar_SO
uz__#Arab
ar_AE
as
my_MM
ar_BH
ja_JP_JP_#u-ca-japanese
uz__#Cyrl
ne_NP
uz_AF_#Arab
ks
as_IN
ar_IQ
ar_QA
ar
uz__#Latn
ks_IN_#Arab
ar_001
ar_KW
ar_DJ

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -------------------------------------------------
>
>                 Key: SOLR-6915
>                 URL: https://issues.apache.org/jira/browse/SOLR-6915
>             Project: Solr
>          Issue Type: Improvement
>          Components: SolrCloud
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>             Fix For: 5.1, Trunk
>
>         Attachments: SOLR-6915.patch, SOLR-6915.patch, fail.log, fail.log, 
> tests-failures.txt
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This 
> provider will be useful for administration in a kerberos environment.   In 
> such an environment, the administrator wants solr to authenticate to 
> zookeeper using SASL, since this is only way to authenticate with zookeeper 
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a 
> scenario where solr owns (is the only writer of) the non-config znodes, but 
> some set of trusted users are allowed to modify the configs.  It's hard to 
> predict all the possibilities here, but one model that seems generally useful 
> is to have a model where solr itself owns all the znodes and all actions that 
> require changing the znodes are routed to Solr APIs.  That seems simple and 
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really 
> have any infrastructure for testing kerberos integration in unit tests.  
> Internally, I've been testing using kerberos-enabled VM clusters, but this 
> isn't great since we won't notice any breakages until someone actually spins 
> up a VM.  So part of this JIRA is to provide some infrastructure for testing 
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to