[jira] [Updated] (OOZIE-1491) Make sure HA works with a secure ZooKeeper

Tue, 12 Nov 2013 18:37:38 -0800 

     [ 
https://issues.apache.org/jira/browse/OOZIE-1491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Kanter updated OOZIE-1491:
---------------------------------

    Attachment: OOZIE-1491.patch

Basically, when {{oozie.zookeeper.secure}} is set to true, Oozie will connect 
to ZK using SASL/Kerberos and make all znodes it uses have "sasl" ACLs.  

Getting the unit tests to work was quite tricky because ZooKeeper requires 
setting the security for the entire JVM.  And for the tests, we're running the 
ZK server and one or more clients from the same JVM, so things get messy.  
{{ZKXTestCaseWithSecurity#setupZKServer}} has a much longer explanation, but 
suffice it to say, this causes a lot of difficulties.  

One main issue is that once authenticated, you can't really logout.  So once 
the {{TestZKUtilsWithSecurity}} runs, any tests afterwards which try to use 
ZooKeeper will try using security and likely fail.  So, I had to exclude 
{{TestZKUtilsWithSecurity}}; however, it can be run, even without Kerberos 
setup because it uses Hadoop's MiniKdc.  Though currently, 
{{TestZKUtilsWithSecurity}} will fail because we don't have Curator 2.3.1 (for 
CURATOR-58); once we have that though, I think we should have Jenkins run 
{{TestZKUtilsWithSecurity}}.

If anybody has any ideas on how to improve the security test situation, please 
let me know or try them out yourself.  Though I did try many many different 
things.  

Also, the MiniKdc isn't in a released version of Hadoop yet, but its luckily in 
its own package, so I had to use version {{2.3.0-SNAPSHOT}} for it.  This 
shouldn't be a problem because the MiniKdc doesn't/hasn't changed much; though 
once a released version of Hadoop has it, we should use that.

I've also verified that everything works in an actual cluster.

Thanks to Alejandro, Patrick Hunt, Matteo Bertozzi, and Jordan Zimmerman for 
their help on this! :)

> Make sure HA works with a secure ZooKeeper
> ------------------------------------------
>
>                 Key: OOZIE-1491
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1491
>             Project: Oozie
>          Issue Type: Improvement
>          Components: HA
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: OOZIE-1491.patch
>
>
> We need to make sure that HA works with a secure ZooKeeper.  This includes 
> the SASL ACL setting that will prevent someone else from deleting the oozie 
> znodes.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to