Return-Path: X-Original-To: apmail-accumulo-dev-archive@www.apache.org Delivered-To: apmail-accumulo-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5D43B17AF9 for ; Wed, 14 Jan 2015 19:58:08 +0000 (UTC) Received: (qmail 56563 invoked by uid 500); 14 Jan 2015 19:58:10 -0000 Delivered-To: apmail-accumulo-dev-archive@accumulo.apache.org Received: (qmail 56522 invoked by uid 500); 14 Jan 2015 19:58:10 -0000 Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@accumulo.apache.org Delivered-To: mailing list dev@accumulo.apache.org Received: (qmail 56503 invoked by uid 99); 14 Jan 2015 19:58:09 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Jan 2015 19:58:09 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 718141D3B42; Wed, 14 Jan 2015 19:58:06 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============1401917831542933987==" MIME-Version: 1.0 Subject: Re: Review Request 29386: ACCUMULO-2815 Client authentication via Kerberos From: "Josh Elser" To: "Christopher Tubbs" , "accumulo" , "Josh Elser" Date: Wed, 14 Jan 2015 19:58:06 -0000 Message-ID: <20150114195806.23997.14496@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org Auto-Submitted: auto-generated Sender: "Josh Elser" X-ReviewGroup: accumulo X-ReviewRequest-URL: https://reviews.apache.org/r/29386/ X-Sender: "Josh Elser" References: <20150114020226.23997.24040@reviews.apache.org> In-Reply-To: <20150114020226.23997.24040@reviews.apache.org> Reply-To: "Josh Elser" X-ReviewRequest-Repository: accumulo --===============1401917831542933987== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On Jan. 14, 2015, 2:02 a.m., Christopher Tubbs wrote: > > pom.xml, lines 1324-1337 > > > > > > If we're dropping Hadoop 1 support, that should be done in a separate commit. > > Josh Elser wrote: > Crap. I forgot I did this. MiniKDC only shows up in Hadoop 2.3. Do you remember if this already on the plate for 1.7? > > Josh Elser wrote: > We did get lazy consensus on droppping Hadoop 1 http://mail-archives.apache.org/mod_mbox/accumulo-dev/201411.mbox/%3C54694DB3.5000803%40gmail.com%3E > > Christopher Tubbs wrote: > Yeah, I just didn't expect to see it here, unless there was some reason why it was needed (like it was required to implement to the feature, which doesn't appear to be the case, although it is required for easily testing the feature). - Also, noticed you made ACCUMULO-3479 to drop Hadoop 1 support. > > I'm still concerned about 2.2.x support, though, if there is any impact on that. Yes, it's only for testing purposes and should not affect the use of Hadoop-2.2.0. > On Jan. 14, 2015, 2:02 a.m., Christopher Tubbs wrote: > > pom.xml, line 125 > > > > > > Why bump this? Do we want 2.3.0 to be the default build? Are we dropping support for 2.2.x and require 2.3.0 and later? > > Josh Elser wrote: > MiniKDC only shows up in Hadoop 2.3. > > Christopher Tubbs wrote: > Okay, so we need minikdc for testing, but will this impact our support for other 2.2.x at all? No, it should not impact 2.2.x support at all. > On Jan. 14, 2015, 2:02 a.m., Christopher Tubbs wrote: > > test/src/test/java/org/apache/accumulo/server/security/SystemCredentialsIT.java, lines 185-191 > > > > > > I think my previous comment about coverage here still holds. This still results in failure, but for a different reason than what was originally being tested for. > > > > It now fails because there's no user with a password "fake". Before, it was testing that a failure would occur if instance.* configuration details were different. That case is now absent. > > Josh Elser wrote: > I believe you're mistaken. The original two cases being tested by this class are still present and performing the exact same assertion as previously. This case that you're highlighting is a new assertion that was added to the class. > > I must not be seeing something if you still think there is something wrong because I did (try to) address this issue already (as you remember). > > Christopher Tubbs wrote: > Okay, I see. You are correct. I misinterpreted the context around the change and was looking at the wrong section. > > I do see that it switched from using the SiteConfiguration, and now uses the DefaultConfiguration instead to generate the system token, in the "bad" case. It's similar enough, but the case we were testing before was when the instanceID was different. Now, it can fail if the config is different also... which is probably a good test case to cover (if not covered elsewhere), but it's not the case being tested before. Oh, that's true. Do you know off the top of your head if passing in SiteConfiguration will actually work in this context? Do I need to do more to actually get the accumulo-site.xml from the minicluster's directory? - Josh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/29386/#review67955 ----------------------------------------------------------- On Jan. 9, 2015, 10:29 p.m., Josh Elser wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/29386/ > ----------------------------------------------------------- > > (Updated Jan. 9, 2015, 10:29 p.m.) > > > Review request for accumulo. > > > Bugs: ACCUMULO-2815 > https://issues.apache.org/jira/browse/ACCUMULO-2815 > > > Repository: accumulo > > > Description > ------- > > ACCUMULO-2815 Initial support for Kerberos client authentication. > > Leverage SASL transport provided by Thrift which can speak GSSAPI, which Kerberos implements. Introduced... > > * An Accumulo KerberosToken which is an AuthenticationToken to validate users. > * Custom thrift processor and invocation handler to ensure server RPCs have a valid KRB identity and Accumulo authentication. > * A KerberosAuthenticator which extends ZKAuthenticator to support Kerberos identities seamlessly. > * New ClientConf variables to use SASL transport and pass Kerberos server principal > * Updated ClientOpts and Shell opts to transparently use a KerberosToken when SASL is enabled (no extra client work). > > I believe this is the "bare minimum" for Kerberos support. They are also grossly lacking in unit and integration tests. I believe that I might have somehow broken the client address string in the server (I saw log messages with client: null, but I'm not sure if it's due to these changes or not). A necessary limitation in the Thrift server used is that, like the SSL transport, the SASL transport cannot presently be used with the TFramedTransport, which means none of the [half]async thrift servers will function with this -- we're stuck with the TThreadPoolServer. > > Performed some contrived benchmarks on my laptop (while still using it myself) to get at big-picture view of the performance impact against "normal" operation and Kerberos alone. Each "run" was the duration to ingest 100M records using continuous-ingest, timed with `time`, using 'real'. > > THsHaServer (our default), 6 runs: > > Avg: 10m7.273s (607.273s) > Min: 9m43.395s > Max: 10m52.715s > > TThreadPoolServer (no SASL), 5 runs: > > Avg: 11m16.254s (676.254s) > Min: 10m30.987s > Max: 12m24.192s > > TThreadPoolServer+SASL/GSSAPI (these changes), 6 runs: > > Avg: 13m17.187s (797.187s) > Min: 10m52.997s > Max: 16m0.975s > > The general takeway is that there's about 15% performance degredation in its initial state which is in the realm of what I expected (~10%). > > > Diffs > ----- > > README ad6f2bf > core/src/main/java/org/apache/accumulo/core/cli/ClientOpts.java eb020eb > core/src/main/java/org/apache/accumulo/core/client/ClientConfiguration.java df53645 > core/src/main/java/org/apache/accumulo/core/client/impl/ClientContext.java e75bec6 > core/src/main/java/org/apache/accumulo/core/client/impl/ConnectorImpl.java f481cc3 > core/src/main/java/org/apache/accumulo/core/client/impl/MasterClient.java fcbf9f9 > core/src/main/java/org/apache/accumulo/core/client/impl/ThriftTransportKey.java 6dc846f > core/src/main/java/org/apache/accumulo/core/client/impl/ThriftTransportPool.java 5da803b > core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java PRE-CREATION > core/src/main/java/org/apache/accumulo/core/conf/Property.java ce5de85 > core/src/main/java/org/apache/accumulo/core/rpc/FilterTransport.java PRE-CREATION > core/src/main/java/org/apache/accumulo/core/rpc/SaslConnectionParams.java PRE-CREATION > core/src/main/java/org/apache/accumulo/core/rpc/ThriftUtil.java 09bd6c4 > core/src/main/java/org/apache/accumulo/core/rpc/UGIAssumingTransport.java PRE-CREATION > core/src/main/java/org/apache/accumulo/core/rpc/UGIAssumingTransportFactory.java PRE-CREATION > core/src/test/java/org/apache/accumulo/core/cli/TestClientOpts.java ff49bc0 > core/src/test/java/org/apache/accumulo/core/client/ClientConfigurationTest.java PRE-CREATION > core/src/test/java/org/apache/accumulo/core/client/impl/ThriftTransportKeyTest.java PRE-CREATION > core/src/test/java/org/apache/accumulo/core/conf/ClientConfigurationTest.java 40be70f > core/src/test/java/org/apache/accumulo/core/rpc/SaslConnectionParamsTest.java PRE-CREATION > docs/src/main/asciidoc/accumulo_user_manual.asciidoc ec8e538 > docs/src/main/asciidoc/chapters/clients.txt 64f0e55 > docs/src/main/asciidoc/chapters/kerberos.txt PRE-CREATION > minicluster/src/main/java/org/apache/accumulo/minicluster/impl/MiniAccumuloClusterImpl.java 27d6b19 > minicluster/src/main/java/org/apache/accumulo/minicluster/impl/MiniAccumuloConfigImpl.java 26c23ed > pom.xml 203acdc > proxy/src/main/java/org/apache/accumulo/proxy/Proxy.java 7eb4fbf > server/base/src/main/java/org/apache/accumulo/server/AccumuloServerContext.java 09ae4f4 > server/base/src/main/java/org/apache/accumulo/server/init/Initialize.java ed2189d > server/base/src/main/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandler.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingWrapper.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/rpc/TServerUtils.java 641c0bf > server/base/src/main/java/org/apache/accumulo/server/rpc/ThriftServerType.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java 5fe57b7 > server/base/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java 42d1313 > server/base/src/main/java/org/apache/accumulo/server/security/SystemCredentials.java 79201b1 > server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthorizor.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosPermissionHandler.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/thrift/UGIAssumingProcessor.java PRE-CREATION > server/base/src/main/java/org/apache/accumulo/server/util/Admin.java 7d247f7 > server/base/src/main/java/org/apache/accumulo/server/util/ZooZap.java ef182f1 > server/base/src/test/java/org/apache/accumulo/server/AccumuloServerContextTest.java PRE-CREATION > server/base/src/test/java/org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandlerTest.java PRE-CREATION > server/base/src/test/java/org/apache/accumulo/server/rpc/ThriftServerTypeTest.java PRE-CREATION > server/base/src/test/java/org/apache/accumulo/server/security/SystemCredentialsTest.java 01ff9ac > server/gc/src/main/java/org/apache/accumulo/gc/SimpleGarbageCollector.java db37c8b > server/gc/src/test/java/org/apache/accumulo/gc/GarbageCollectWriteAheadLogsTest.java f98721f > server/gc/src/test/java/org/apache/accumulo/gc/SimpleGarbageCollectorTest.java 99558b8 > server/gc/src/test/java/org/apache/accumulo/gc/replication/CloseWriteAheadLogReferencesTest.java cad1e01 > server/master/src/main/java/org/apache/accumulo/master/Master.java 12195fa > server/monitor/src/main/java/org/apache/accumulo/monitor/servlets/trace/Basic.java 2d98fed > server/tracer/src/main/java/org/apache/accumulo/tracer/TraceServer.java 3063cdc > server/tserver/src/main/java/org/apache/accumulo/tserver/TabletServer.java 2bfa5a0 > shell/src/main/java/org/apache/accumulo/shell/Shell.java 9697a85 > shell/src/main/java/org/apache/accumulo/shell/ShellOptionsJC.java 875367d > shell/src/test/java/org/apache/accumulo/shell/ShellOptionsJCTest.java PRE-CREATION > test/pom.xml b0a926f > test/src/main/java/org/apache/accumulo/test/functional/ZombieTServer.java 3bb44ff > test/src/main/java/org/apache/accumulo/test/performance/thrift/NullTserver.java 0afa243 > test/src/test/java/org/apache/accumulo/harness/AccumuloClusterIT.java 8f7e1b7 > test/src/test/java/org/apache/accumulo/harness/MiniClusterHarness.java abdb627 > test/src/test/java/org/apache/accumulo/harness/SharedMiniClusterIT.java 2380f66 > test/src/test/java/org/apache/accumulo/harness/TestingKdc.java PRE-CREATION > test/src/test/java/org/apache/accumulo/harness/conf/AccumuloMiniClusterConfiguration.java 11b7530 > test/src/test/java/org/apache/accumulo/server/security/SystemCredentialsIT.java abbe5e6 > test/src/test/java/org/apache/accumulo/test/ArbitraryTablePropertiesIT.java aa5c164 > test/src/test/java/org/apache/accumulo/test/CleanWalIT.java 1fcd5a4 > test/src/test/java/org/apache/accumulo/test/functional/BatchScanSplitIT.java 221889b > test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java PRE-CREATION > test/src/test/java/org/apache/accumulo/test/security/KerberosTokenTest.java PRE-CREATION > test/src/test/resources/log4j.properties cb35840 > > Diff: https://reviews.apache.org/r/29386/diff/ > > > Testing > ------- > > Ensure existing unit tests still function. Accumulo is functional and ran continuous ingest multiple times using a client with only a Kerberos identity (no user/password provided). Used MIT Kerberos with Apache Hadoop 2.6.0 and Apache ZooKeeper 3.4.5. > > > Thanks, > > Josh Elser > > --===============1401917831542933987==--