-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for kerberized solr instance (#1138) #1230
Conversation
Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR.
My main question is that if HBase (which uses Zookeeper) is Kerberized, how is the configuration going to affect HBase's access to Zookeeper. Can the keytab files or jaas files be shared to access the same Zookeeper, or will there be any conflicts?
BackgroundHBase will use the typical hadoop configuration files to configure itself. For example the files founds in Both Zookeeper and SOLR gets its kerberos configuration from flags set when the corresponding service processes are started. Each of these aforementioned services will have their own JAAS configuration files. In each of those files will be various JAAS configuration elements, some for the server processes of that service and potentially some for the client processes. Sometimes the client/server portions are split out into unique jass configuration files. Keytabs aren't typically shared between the services. Each service will have a unique principal, sometimes multiple and the keytab is a stored credential(s) for a specific principal(s). Janus on Kerberized HadoopWhen working with Janus in a Hadoop environment, lets say using HBase as the storage backend and SOLR as the indexing back end there are two main things that need to happen for Janus to work properly:
Your QuestionEven if SOLR and HBase share the same Zookeeper there should be no conflicts with using them together with Janus. As a user I can authenticate as a single principal by using a Keytab or TGT and then start using Janus which will in turn interact with HBase, Solr, Zookeeper, etc. Sorry for the long winded answer but I thought the background and context would be helpful. Please let me know if you have any other questions or concerns. Related Readinghttps://lucene.apache.org/solr/guide/7_2/kerberos-authentication-plugin.html |
Thanks for the very good explanation! |
I will answer your question in two parts.
Further Notes: The JAAS configuration file I have included in my PR is just for testing purposes and used for the unit tests and isn't shipped with the product. This PR expects the end user to add additional configuration in the |
Any more feedback @jerryjch? |
@blindenvy I will get back to it. Sorry about the delay, |
@blindenvy I think it would be worthwhile to add some pointers in the Solr docs to some of the Kerberos resources you mentioned in the discussion above. Although we don't need to completely duplicate those docs, making it easier for other JanusGraph users to find them would be helpful, especially with respect to the HBase, ZooKeeper, and Solr interplay. I'd suggest that you add the docs to the solr.adoc file. |
|
||
public static final ConfigOption<Boolean> KERBEROS_ENABLED = new ConfigOption<Boolean>(SOLR_NS,"kerberos-enabled", | ||
"Whether SOLR instance is Kerberized or not.", | ||
ConfigOption.Type.GLOBAL_OFFLINE, false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how valuable this parameter is if it's configured as GLOBAL_OFFLINE
. Do users typically toggle Kerberos on and off? If not, it seems like you could just use KERBEROS_CONFIG
as the only config parameter for whether to use Kerberos or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do users typically toggle Kerberos on and off?
No I would say that is not a typical use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it makes sense to support changing the KERBEROS_ENABLED
setting per connection (for example, if Solr or HBase support it also), then you should declare it as ConfigOption.Type.MASKABLE
rather than ConfigOption.Type.GLOBAL_OFFLINE
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussion I will make the change to MASKABLE
.
Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com>
Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. @blindenvy thanks for working on this.
@blindenvy I am still a little worried about setting the java.security.auth.login.config property for the whole JVM programmably for Solr only that may overwrite setting that may come from other places (e.g in the java command line from gremlin server) and/or for other clients. |
HBase secure config with Zookeeper is here. |
…get jaas config. Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com>
@jerryjch @pluradj I agree with both your assessments. There is some concern with overriding a prior set configuration, also its typical for jaas config to be set via command line through jvm options instead of programatically. Thus, I have removed the jaas config option from janusgraph properties. Instead This will require that end users add this JVM option when invoking janus graph when a kerberized solr instance is in play. For instance to run gremlin.sh you would need to do:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach of setting the property from the command line looks good.
…h#1230) * JanusGraph#1138. Add support for kerberized solr instance. Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com> * Exclude kerberos tests from integration tests. * Include documentation for kerberos with solr. Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com> * Change properties to be MASKABLE instead of GLOBAL_OFFLINE. Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com> * Remove janus solr jaas config option. Instead use system property to get jaas config. Signed-off-by: Christopher Jackson <chris.jackson@us.ibm.com>
…h#1230) * JanusGraph#1138. Add support for kerberized solr instance. * Exclude kerberos tests from integration tests. * Include documentation for kerberos with solr. * Change properties to be MASKABLE instead of GLOBAL_OFFLINE. * Remove janus solr jaas config option. Instead use system property to get jaas config.
Fixes issue #1138.
Signed-off-by: Christopher Jackson chris.jackson@us.ibm.com
Thank you for contributing to JanusGraph!
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
master
)?For code changes:
For documentation related changes:
[skip ci]
tag to the first line of your commit message to avoid spending CPU cycles in
Travis CI when no code, tests, or build configuration are modified?
Note:
Please ensure that once the PR is submitted, you check Travis CI for build issues and submit an update to your PR as soon as possible.