[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15543618#comment-15543618 ] Christopher Tubbs commented on ACCUMULO-4415: - Interesting. I was not even aware {{trace.zookeeper.path}} existed. That certainly helps. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs >Priority: Critical > Fix For: 2.0.0 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15542495#comment-15542495 ] Billie Rinaldi commented on ACCUMULO-4415: -- Why? Different Accumulo instances should be configured with different ZK nodes for tracers (trace.zookeeper.path). > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs >Priority: Critical > Fix For: 2.0.0 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15537908#comment-15537908 ] Christopher Tubbs commented on ACCUMULO-4415: - Thanks. I'm not sure that's a critical use case, but I understand that we don't really need to restrict it either. I hadn't thought of it as a regression. Solving this issue properly should open up support for that use case. It's unfortunate this issue has been around for as long as it has, but was only recently discovered by the close scrutiny over a relatively obscure tool ({{ChangeSecret}}). > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs >Priority: Critical > Fix For: 2.0.0 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15537799#comment-15537799 ] Sean Busbey commented on ACCUMULO-4415: --- I can't have a single zookeeper instance shared between two Accumulo instances that have different instance secrets. This is a pretty big regression starting in AFAICT 1.7. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs >Priority: Critical > Fix For: 2.0.0 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15537265#comment-15537265 ] Christopher Tubbs commented on ACCUMULO-4415: - [~busbey], what's the justification for marking this "Critical"? It only has an impact on users when they use {{ChangeSecret}}, which is typically rare, and there is a documented workaround. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs >Priority: Critical > Fix For: 2.0.0 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510812#comment-15510812 ] Christopher Tubbs commented on ACCUMULO-4415: - I think we shouldn't try to fix this before 2.0... it's too complicated. Somebody can change the secret using the workaround above... or more simply do the following after using ChangeSecret: kill the tracer, delete /tracers, restart the tracer. For 2.0+, we can (maybe) provide a {{tracer.secret}}, which defaults to {{instance.secret}} (with a warning), and provide a new {{ChangeTracerSecret}} tool. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 2.0.0 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510790#comment-15510790 ] Christopher Tubbs commented on ACCUMULO-4415: - I'm not sure we can do anything about this right now. It's not really safe for ChangeSecret to change /tracers (because that could be in use by more than one cluster). Maybe we should just document it as a known issue until we decide where the tracer service is ultimately going to live. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510239#comment-15510239 ] Michael Miller commented on ACCUMULO-4415: -- I'd like to try and resolve this issue, since I helped bring it to light. Did you folks agree on a solution? I can't really decipher the outcome from the discussion... > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428429#comment-15428429 ] Christopher Tubbs commented on ACCUMULO-4415: - bq. o.O what would be comprised in this project? The SpanReceiver which can pull Accumulo Trace server locations from ZK and send the spans to it? This seems like an orthogonal discussion to the permissions on registration of Accumulo Trace Servers in ZK. I was thinking the SpanReceiver *AND* the Tracer server would be part of that project. The Tracer server is essentially an ingest client for Accumulo... that's why it has it's own username/password. It's not an "Accumulo server" in the same sense as Master/TServer/GC are, but it does mimic the service advertisement behavior of those. It wouldn't make much sense for the SpanReceiver to be separate, and the Tracer to stay with Accumulo. Because that would basically mean Accumulo is providing a separate receiving service for one particular kind of message from one particular kind of library... but not any others. It'd be like if mysql had a special service listening constantly for rsyslog messages, whether or not you had rsyslog configured to send logs to mysql. That doesn't make a lot of sense to me. bq. I think we should stick to figuring out whether or not Spans (comprised of a description, timeline annotations, and key-value annotations) might contain sensitive information, and thus, if we need to control the users which are allowed to register in {{/tracers}}. That's probably a good first step. The easiest immediate fix is to have ChangeSecret update this directory, too... but I'm concerned that sets us on a bad path. The next easiest is to make the SpanReceiver code authenticate to the tracer with a shared secret to prevent leakage. This secret (or another one) can also be used to protect the service advertisement area, to prevent DoS of the SpanReceiver. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428399#comment-15428399 ] Josh Elser commented on ACCUMULO-4415: -- bq. I wonder if it should just be its own project, independent of Accumulo, with independent configuration, to make it easier for other HTrace users to be able to use it as a sink. Maybe under htrace (htrace-accumulo), if that PMC will have it, or at the very least, a subproject of Accumulo with independent releases, and independent configuration. o.O what would be comprised in this project? The SpanReceiver which can pull Accumulo Trace server locations from ZK and send the spans to it? This seems like an orthogonal discussion to the permissions on registration of Accumulo Trace Servers in ZK. I think we should stick to figuring out whether or not Spans (comprised of a description, timeline annotations, and key-value annotations) might contain sensitive information, and thus, if we need to control the users which are allowed to register in {{/tracers}}. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428378#comment-15428378 ] Christopher Tubbs commented on ACCUMULO-4415: - It would be difficult to use it before Accumulo was initialized, and then later, it'd just be annoying for Hadoop to discover the (current) instance ID to use. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428345#comment-15428345 ] Josh Elser commented on ACCUMULO-4415: -- bq. Tracer registration used to be under the instance ID zk node, and it was moved so that HDFS could be configured to send traces to Accumulo's span receiver. What was the issue with it being beneath {{/accumulo/}}? Difficult to configure HDFS to use it before Accumulo was started (chicken and egg)? > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug > Components: trace >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427403#comment-15427403 ] Christopher Tubbs commented on ACCUMULO-4415: - I wonder if it should just be its own project, independent of Accumulo, with independent configuration, to make it easier for other HTrace users to be able to use it as a sink. Maybe under htrace (htrace-accumulo), if that PMC will have it, or at the very least, a subproject of Accumulo with independent releases, and independent configuration. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427399#comment-15427399 ] Billie Rinaldi commented on ACCUMULO-4415: -- Tracer registration used to be under the instance ID zk node, and it was moved so that HDFS could be configured to send traces to Accumulo's span receiver. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427360#comment-15427360 ] Christopher Tubbs commented on ACCUMULO-4415: - The tracer service is just an optional sink for trace. Other sinks are available. While I think this change would be more consistent with the other Accumulo services, I'm not sure I'd want an optional component, which is essentially behaving as an independent client, to be so tightly coupled with Accumulo's internal security mechanisms. That's my only reluctance. At this point, the tracer is really an Accumulo sink for HTrace, more so than it is an Accumulo component. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427312#comment-15427312 ] Josh Elser commented on ACCUMULO-4415: -- bq. It's arbitrary now. Users can provide anything. I don't believe we can safely make that assumption. And to be clear, it's not that I think we cannot do this, I just believe we need to inform users of this change if it is made and instructions on how to restore the previous functionality. Metrics ideally should not be sensitive, but we cannot know all possible cases. Given the security-minded-ness of Accumulo, I think this is important for us. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427308#comment-15427308 ] Josh Elser commented on ACCUMULO-4415: -- bq. . Don't think trace contains anything sensitive. It's arbitrary now. Users can provide anything. I don't believe we can safely make that assumption. bq. If we really want to lock this down, we should deprecate the trace user, and treat it like a proper Accumulo service, using the system credentials, and moving the /tracer registration into /accumulo//. I would *ecstatically* in favor of this. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427305#comment-15427305 ] Christopher Tubbs commented on ACCUMULO-4415: - Yes, like you said above, metrics could be "stolen" if another tracer registers itself there, but I'm not sure that matters. Don't think trace contains anything sensitive. If we really want to lock this down, we should deprecate the trace user, and treat it like a proper Accumulo service, using the system credentials, and moving the /tracer registration into {{/accumulo//}}. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > Fix For: 1.8.1 > > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427300#comment-15427300 ] Josh Elser commented on ACCUMULO-4415: -- bq. I'm not really sure why we protect /tracers at all. AFAIK, it's just use for tracer service registration. bq. There may be sensitive data in the tags for the metrics element, no? > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427297#comment-15427297 ] Christopher Tubbs commented on ACCUMULO-4415: - I was able to work around this problem by manually changing the ACL in the zkCli.sh using: {code} addauth digest accumulo:OLD_INSTANCE_SECRET setAcl /tracers world:anyone:r,digest:accumulo:INSTANCE_SECRET_HASH:cdrwa {code} The {{INSTANCE_SECRET_HASH}} was generated using the following in bash (not the zk shell): {code} base64 < <(openssl dgst -sha1 -binary <(echo -n accumulo:instanceSecret)) {code} Probably could have also gotten away with: {{setAcl /tracers world:anyone:cdrwa}}, but I didn't try. I'm not really sure why we protect {{/tracers}} at all. AFAIK, it's just use for tracer service registration. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427282#comment-15427282 ] Christopher Tubbs commented on ACCUMULO-4415: - Found while testing ACCUMULO-2971, but this problem exists regardless of that issue. > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427285#comment-15427285 ] Josh Elser commented on ACCUMULO-4415: -- bq. The tracer does not use the Accumulo system credentials, and instead uses a specific tracer username and password. It should also not use the instance.secret (which is for the system credentials). Right now, our API would send data to any tracer registered in ZK. If we remove the ACL on the tracers node, doesn't that mean I could start a tracer and start "stealing" metrics? Assuming I understand this correctly, is this a concern? There may be sensitive data in the tags for the metrics element, no? > Tracer requires instance.secret > --- > > Key: ACCUMULO-4415 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4415 > Project: Accumulo > Issue Type: Bug >Reporter: Christopher Tubbs > > Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper. > The tracer does not use the Accumulo system credentials, and instead uses a > specific tracer username and password. It should also not use the > instance.secret (which is for the system credentials). > A side effect of this bug is that ChangeSecret does not update the /tracers > ACLs in ZooKeeper, preventing the tracer from working entirely after the > instance.secret is changed. > The following error will be seen in the monitor after the ChangeSecret tool > is run. > {code} > Thread 'tracer' died. > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = > NoAuth for /tracers/trace- > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > at > org.apache.zookeeper.KeeperException.create(KeeperException.java:51) > at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) > at > org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464) > at > org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99) > at > org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318) > at > org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255) > at > org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360) > at > org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33) > at org.apache.accumulo.start.Main$1.run(Main.java:120) > at java.lang.Thread.run(Thread.java:745) > {code} > This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't > checked earlier versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)