[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15543618#comment-15543618
]
Christopher Tubbs commented on ACCUMULO-4415:
-
Interesting. I was not even aware {{trace.zookeeper.path}} existed. That
certainly helps.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
>Priority: Critical
> Fix For: 2.0.0
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15542495#comment-15542495
]
Billie Rinaldi commented on ACCUMULO-4415:
--
Why? Different Accumulo instances should be configured with different ZK nodes
for tracers (trace.zookeeper.path).
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
>Priority: Critical
> Fix For: 2.0.0
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15537908#comment-15537908
]
Christopher Tubbs commented on ACCUMULO-4415:
-
Thanks. I'm not sure that's a critical use case, but I understand that we don't
really need to restrict it either. I hadn't thought of it as a regression.
Solving this issue properly should open up support for that use case. It's
unfortunate this issue has been around for as long as it has, but was only
recently discovered by the close scrutiny over a relatively obscure tool
({{ChangeSecret}}).
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
>Priority: Critical
> Fix For: 2.0.0
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15537799#comment-15537799
]
Sean Busbey commented on ACCUMULO-4415:
---
I can't have a single zookeeper instance shared between two Accumulo instances
that have different instance secrets. This is a pretty big regression starting
in AFAICT 1.7.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
>Priority: Critical
> Fix For: 2.0.0
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15537265#comment-15537265
]
Christopher Tubbs commented on ACCUMULO-4415:
-
[~busbey], what's the justification for marking this "Critical"? It only has an
impact on users when they use {{ChangeSecret}}, which is typically rare, and
there is a documented workaround.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
>Priority: Critical
> Fix For: 2.0.0
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510812#comment-15510812
]
Christopher Tubbs commented on ACCUMULO-4415:
-
I think we shouldn't try to fix this before 2.0... it's too complicated.
Somebody can change the secret using the workaround above... or more simply do
the following after using ChangeSecret: kill the tracer, delete /tracers,
restart the tracer.
For 2.0+, we can (maybe) provide a {{tracer.secret}}, which defaults to
{{instance.secret}} (with a warning), and provide a new {{ChangeTracerSecret}}
tool.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 2.0.0
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510790#comment-15510790
]
Christopher Tubbs commented on ACCUMULO-4415:
-
I'm not sure we can do anything about this right now. It's not really safe for
ChangeSecret to change /tracers (because that could be in use by more than one
cluster). Maybe we should just document it as a known issue until we decide
where the tracer service is ultimately going to live.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510239#comment-15510239
]
Michael Miller commented on ACCUMULO-4415:
--
I'd like to try and resolve this issue, since I helped bring it to light. Did
you folks agree on a solution? I can't really decipher the outcome from the
discussion...
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428429#comment-15428429
]
Christopher Tubbs commented on ACCUMULO-4415:
-
bq. o.O what would be comprised in this project? The SpanReceiver which can
pull Accumulo Trace server locations from ZK and send the spans to it? This
seems like an orthogonal discussion to the permissions on registration of
Accumulo Trace Servers in ZK.
I was thinking the SpanReceiver *AND* the Tracer server would be part of that
project. The Tracer server is essentially an ingest client for Accumulo...
that's why it has it's own username/password. It's not an "Accumulo server" in
the same sense as Master/TServer/GC are, but it does mimic the service
advertisement behavior of those.
It wouldn't make much sense for the SpanReceiver to be separate, and the Tracer
to stay with Accumulo. Because that would basically mean Accumulo is providing
a separate receiving service for one particular kind of message from one
particular kind of library... but not any others. It'd be like if mysql had a
special service listening constantly for rsyslog messages, whether or not you
had rsyslog configured to send logs to mysql. That doesn't make a lot of sense
to me.
bq. I think we should stick to figuring out whether or not Spans (comprised of
a description, timeline annotations, and key-value annotations) might contain
sensitive information, and thus, if we need to control the users which are
allowed to register in {{/tracers}}.
That's probably a good first step. The easiest immediate fix is to have
ChangeSecret update this directory, too... but I'm concerned that sets us on a
bad path. The next easiest is to make the SpanReceiver code authenticate to the
tracer with a shared secret to prevent leakage. This secret (or another one)
can also be used to protect the service advertisement area, to prevent DoS of
the SpanReceiver.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428399#comment-15428399
]
Josh Elser commented on ACCUMULO-4415:
--
bq. I wonder if it should just be its own project, independent of Accumulo,
with independent configuration, to make it easier for other HTrace users to be
able to use it as a sink. Maybe under htrace (htrace-accumulo), if that PMC
will have it, or at the very least, a subproject of Accumulo with independent
releases, and independent configuration.
o.O what would be comprised in this project? The SpanReceiver which can pull
Accumulo Trace server locations from ZK and send the spans to it? This seems
like an orthogonal discussion to the permissions on registration of Accumulo
Trace Servers in ZK.
I think we should stick to figuring out whether or not Spans (comprised of a
description, timeline annotations, and key-value annotations) might contain
sensitive information, and thus, if we need to control the users which are
allowed to register in {{/tracers}}.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428378#comment-15428378
]
Christopher Tubbs commented on ACCUMULO-4415:
-
It would be difficult to use it before Accumulo was initialized, and then
later, it'd just be annoying for Hadoop to discover the (current) instance ID
to use.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15428345#comment-15428345
]
Josh Elser commented on ACCUMULO-4415:
--
bq. Tracer registration used to be under the instance ID zk node, and it was
moved so that HDFS could be configured to send traces to Accumulo's span
receiver.
What was the issue with it being beneath {{/accumulo/}}? Difficult
to configure HDFS to use it before Accumulo was started (chicken and egg)?
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
> Components: trace
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427403#comment-15427403
]
Christopher Tubbs commented on ACCUMULO-4415:
-
I wonder if it should just be its own project, independent of Accumulo, with
independent configuration, to make it easier for other HTrace users to be able
to use it as a sink. Maybe under htrace (htrace-accumulo), if that PMC will
have it, or at the very least, a subproject of Accumulo with independent
releases, and independent configuration.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427399#comment-15427399
]
Billie Rinaldi commented on ACCUMULO-4415:
--
Tracer registration used to be under the instance ID zk node, and it was moved
so that HDFS could be configured to send traces to Accumulo's span receiver.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427360#comment-15427360
]
Christopher Tubbs commented on ACCUMULO-4415:
-
The tracer service is just an optional sink for trace. Other sinks are
available. While I think this change would be more consistent with the other
Accumulo services, I'm not sure I'd want an optional component, which is
essentially behaving as an independent client, to be so tightly coupled with
Accumulo's internal security mechanisms.
That's my only reluctance. At this point, the tracer is really an Accumulo sink
for HTrace, more so than it is an Accumulo component.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427312#comment-15427312
]
Josh Elser commented on ACCUMULO-4415:
--
bq. It's arbitrary now. Users can provide anything. I don't believe we can
safely make that assumption.
And to be clear, it's not that I think we cannot do this, I just believe we
need to inform users of this change if it is made and instructions on how to
restore the previous functionality. Metrics ideally should not be sensitive,
but we cannot know all possible cases. Given the security-minded-ness of
Accumulo, I think this is important for us.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427308#comment-15427308
]
Josh Elser commented on ACCUMULO-4415:
--
bq. . Don't think trace contains anything sensitive.
It's arbitrary now. Users can provide anything. I don't believe we can safely
make that assumption.
bq. If we really want to lock this down, we should deprecate the trace user,
and treat it like a proper Accumulo service, using the system credentials, and
moving the /tracer registration into /accumulo//.
I would *ecstatically* in favor of this.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427305#comment-15427305
]
Christopher Tubbs commented on ACCUMULO-4415:
-
Yes, like you said above, metrics could be "stolen" if another tracer registers
itself there, but I'm not sure that matters. Don't think trace contains
anything sensitive.
If we really want to lock this down, we should deprecate the trace user, and
treat it like a proper Accumulo service, using the system credentials, and
moving the /tracer registration into {{/accumulo//}}.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
> Fix For: 1.8.1
>
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427300#comment-15427300
]
Josh Elser commented on ACCUMULO-4415:
--
bq. I'm not really sure why we protect /tracers at all. AFAIK, it's just use
for tracer service registration.
bq. There may be sensitive data in the tags for the metrics element, no?
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427297#comment-15427297
]
Christopher Tubbs commented on ACCUMULO-4415:
-
I was able to work around this problem by manually changing the ACL in the
zkCli.sh using:
{code}
addauth digest accumulo:OLD_INSTANCE_SECRET
setAcl /tracers world:anyone:r,digest:accumulo:INSTANCE_SECRET_HASH:cdrwa
{code}
The {{INSTANCE_SECRET_HASH}} was generated using the following in bash (not the
zk shell):
{code}
base64 < <(openssl dgst -sha1 -binary <(echo -n accumulo:instanceSecret))
{code}
Probably could have also gotten away with: {{setAcl /tracers
world:anyone:cdrwa}}, but I didn't try. I'm not really sure why we protect
{{/tracers}} at all. AFAIK, it's just use for tracer service registration.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427282#comment-15427282
]
Christopher Tubbs commented on ACCUMULO-4415:
-
Found while testing ACCUMULO-2971, but this problem exists regardless of that
issue.
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret
[
https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427285#comment-15427285
]
Josh Elser commented on ACCUMULO-4415:
--
bq. The tracer does not use the Accumulo system credentials, and instead uses a
specific tracer username and password. It should also not use the
instance.secret (which is for the system credentials).
Right now, our API would send data to any tracer registered in ZK. If we remove
the ACL on the tracers node, doesn't that mean I could start a tracer and start
"stealing" metrics? Assuming I understand this correctly, is this a concern?
There may be sensitive data in the tags for the metrics element, no?
> Tracer requires instance.secret
> ---
>
> Key: ACCUMULO-4415
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
> Project: Accumulo
> Issue Type: Bug
>Reporter: Christopher Tubbs
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a
> specific tracer username and password. It should also not use the
> instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers
> ACLs in ZooKeeper, preventing the tracer from working entirely after the
> instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool
> is run.
> {code}
> Thread 'tracer' died.
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /tracers/trace-
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at
> org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> at
> org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> at
> org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> at
> org.apache.accumulo.tracer.TraceServer.(TraceServer.java:255)
> at
> org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> at
> org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> at org.apache.accumulo.start.Main$1.run(Main.java:120)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't
> checked earlier versions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
