lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Miller (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-6915) SaslZkACLProvider and Kerberos Test Using MiniKdc
Date Tue, 13 Jan 2015 15:29:35 GMT

    [ https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14275378#comment-14275378
] 

Mark Miller commented on SOLR-6915:
-----------------------------------

On my jenkins machine, I'm seeing it pretty consistently on 5x but not at all on trunk.

> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -------------------------------------------------
>
>                 Key: SOLR-6915
>                 URL: https://issues.apache.org/jira/browse/SOLR-6915
>             Project: Solr
>          Issue Type: Improvement
>          Components: SolrCloud
>            Reporter: Gregory Chanan
>            Assignee: Gregory Chanan
>             Fix For: 5.0, Trunk
>
>         Attachments: SOLR-6915.patch, SOLR-6915.patch
>
>
> We should provide a ZkACLProvider that requires SASL authentication.  This provider will
be useful for administration in a kerberos environment.   In such an environment, the administrator
wants solr to authenticate to zookeeper using SASL, since this is only way to authenticate
with zookeeper via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a scenario where
solr owns (is the only writer of) the non-config znodes, but some set of trusted users are
allowed to modify the configs.  It's hard to predict all the possibilities here, but one model
that seems generally useful is to have a model where solr itself owns all the znodes and all
actions that require changing the znodes are routed to Solr APIs.  That seems simple and reasonable
as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really have any infrastructure
for testing kerberos integration in unit tests.  Internally, I've been testing using kerberos-enabled
VM clusters, but this isn't great since we won't notice any breakages until someone actually
spins up a VM.  So part of this JIRA is to provide some infrastructure for testing kerberos
at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message