acl for zookeeper is added #2258
Conversation
| @@ -40,6 +40,7 @@ We recommend just setting the base ZK path and the ZK service host, but all ZK p | |||
| |--------|-----------|-------| | |||
| |`druid.zk.service.sessionTimeoutMs`|ZooKeeper session timeout, in milliseconds.|`30000`| | |||
| |`druid.zk.service.compress`|Boolean flag for whether or not created Znodes should be compressed.|`true`| | |||
| |`druid.zk.service.acl`|Boolean flag for whether or not to enable ACL security for ZooKeeper.|`false`| | |||
There was a problem hiding this comment.
can we specify in the documentation what permissions are set for zNodes when acl is enabled?
|
@drcrallen @xvrl addressed comments |
| return enableAcl; | ||
| } | ||
|
|
||
| public void setEnableAcl(Boolean enableAcl) |
There was a problem hiding this comment.
@drcrallen if someone typos a config, you want an error thrown versus a default value set
There was a problem hiding this comment.
allright that's reasonable. Can it be Preconditions.notNull(enableAcl, "enableAcl") then?
There was a problem hiding this comment.
also a unit test to verify the behavior would be awesome. (but IMHO not required)
|
We have a |
|
@drcrallen there is a typo for the CLA |
|
the 'M' is the person |
| @@ -66,4 +69,14 @@ public void setEnableCompression(Boolean enableCompression) | |||
| { | |||
| this.enableCompression = enableCompression; | |||
| } | |||
|
|
|||
| public boolean isEnableAcl() | |||
There was a problem hiding this comment.
@drcrallen i can't seem to change this to isEnableAcl() without unit tests failing
|
@fjy thank you for your help. As for "We have a M but not an N in the individual CLA forms." : in our country we have two forms of my name: Mikita and Nikita. If it's a blocker, tell me how to fix it. |
|
@genevien Sorry for the inconvenience, I have your gmail on file with your git user name with an 'M', but I need an entry whose email and name matches the one in the commit ('N' at the pleeco address). The easiest way to remedy this would be to submit another CLA http://druid.io/community/cla.html with a name and email that match the commit information at bae2463 ('N' at pleeco). Thank you for your help in the matter and sorry for the confusion. |
|
@drcrallen Ok, I got it. I've submitted it. Could you have a look, is it ok now? |
|
@genevien Awesome thanks! Looks good |
| @@ -40,6 +40,7 @@ We recommend just setting the base ZK path and the ZK service host, but all ZK p | |||
| |--------|-----------|-------| | |||
| |`druid.zk.service.sessionTimeoutMs`|ZooKeeper session timeout, in milliseconds.|`30000`| | |||
| |`druid.zk.service.compress`|Boolean flag for whether or not created Znodes should be compressed.|`true`| | |||
| |`druid.zk.service.acl`|Boolean flag for whether or not to enable ACL security for ZooKeeper. If ACL is enabled, zNode creators will have all permissions.|`false`| | |||
There was a problem hiding this comment.
Is it possible this might break indexing service? The overlord currently has to delete nodes created by peons. Is that still possible if only the node creator has permissions to those nodes?
There was a problem hiding this comment.
Not sure. @genevien do you know?
There was a problem hiding this comment.
@genevien This config will go in the common runtime properties file so it should be applied to every node in Druid. Do you know if Druid servers on different IPs creating Znodes will cause any issues?
There was a problem hiding this comment.
@fjy in our environment we have separate properties files for each node, that's why I've mentioned it. Could you give more details for the situation you are asking about?
There was a problem hiding this comment.
@genevien ah, usually we recommend having a common.runtime.properties file that holds the configuration that is common to the cluster (ZK IP, metastore location, deep storage location, etc). This common configuration file is copied and included in the classpath of every node. This new ACL config should be a part of the common configuration. It should like though, with proper configuration, things will work.
There was a problem hiding this comment.
@fjy ok, thank you. In theory and in my environment it works, so we have to wait until someone need it and try it in the future.
|
👍 |
|
👍 @genevien It would be nice to have an example of what how to use this in practice, I'm not that familiar with how ZK ACLs work. Maybe we can add a short description of a use-case in the docs in a separate PR? |
|
👍 |
|
@genevien Can you make sure you followed the instructions here: https://groups.google.com/forum/#!topic/druid-development/1Zs3Vd9LHCQ? Want to make sure you get credit for your contribution |
|
@xvrl as I've mentioned before I have configured zookeeper server according to https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL (I've used JAAS configuration file: DIGEST-MD5 authentication) and I have run druid process setting |
|
@fjy done, thank you! |
|
@fjy Hi, I just wonder if I have followed all instructions in order to get credit for the contribution? |
|
@genevien you totally do, the oversight is looking at the PR author rather than the commit author. Clerical mistake and sorry for that :) |
|
@drcrallen thanks a lot) |
#2190 with tests and docs