[jira] [Commented] (STORM-617) In Storm secure mode re-deploying trident topology causes zookeeper ACL issue

Sun, 22 Mar 2015 21:21:44 -0700 

    [ 
https://issues.apache.org/jira/browse/STORM-617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14375368#comment-14375368
 ] 

Sriharsha Chintalapani commented on STORM-617:
----------------------------------------------

[~dagit] [~revans2]  Looked more into the issue , it doesn't look like adding 
another ACL would solve this issue.  We use zookeeperAuthInfo which adds 
topology.owner payload as auth than sets the ACL's on /transactional nodes as 
"sasl:storm" also the digest . When the user kills  we don't erase 
/transactional data upon killing of a topology. After user re-deploys the 
topology even if its the same user the auth digest will change and which will 
cause it thrown an ACL exception when trying to access previous transactional 
data.

1) add topology_name under /transactional . currenlty it uses 
/transacational/spou1 . 
2) delete /transactional/topology_name data if user kills a topology.

deleting the /transactional nodes probably not a good option . Since most users 
if they are upgrading they will kill a topology and upgrade storm cluster and 
re-deploy the topology . In this case deleting /transacational/topology_name 
data wouldn't allow them recover from where they left off



> In Storm secure mode re-deploying trident topology causes zookeeper ACL issue
> -----------------------------------------------------------------------------
>
>                 Key: STORM-617
>                 URL: https://issues.apache.org/jira/browse/STORM-617
>             Project: Apache Storm
>          Issue Type: Bug
>    Affects Versions: 0.10.0
>            Reporter: Sriharsha Chintalapani
>            Assignee: Sriharsha Chintalapani
>
> This issue is caused by this line 
> https://github.com/apache/storm/blob/master/storm-core/src/jvm/backtype/storm/transactional/state/TransactionalState.java#L67
> If the storm cluster nimbus is running with a kerberos principal named 
> "nimbus"
> and supervisors are running with principal "storm" . Storm puts the acl on 
> trident spout using principal "nimbus" and this won't be able to accessed or 
> modified by supervisor since they are logging into zookeeper as user "storm".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to