-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[KYUUBI #1176] InvalidACL appears in the engine when zookeeper acl is turned on #1177
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1177 +/- ##
============================================
+ Coverage 78.79% 78.84% +0.04%
Complexity 93 93
============================================
Files 182 182
Lines 6654 6683 +29
Branches 785 784 -1
============================================
+ Hits 5243 5269 +26
- Misses 961 966 +5
+ Partials 450 448 -2
Continue to review full report at Codecov.
|
@@ -48,14 +49,18 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) { | |||
|
|||
val username = Option(user).filter(_.nonEmpty).getOrElse("anonymous") | |||
|
|||
val sessionConf = this.getConf.getUserDefaults(user) | |||
if (!sessionConf.get(HA_ZK_ACL_ENGINE_ENABLED)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It‘s a bit hacky, can we use HA_ZK_ACL_ENGINE_ENABLED at the caller side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move to ZooKeeperACLProvider
val acl1 = new ZooKeeperACLProvider(conf1).getDefaultAcl | ||
assert(acl1.size() === 2) | ||
val expected = ZooDefs.Ids.READ_ACL_UNSAFE | ||
expected.addAll(ZooDefs.Ids.CREATOR_ALL_ACL) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This (expected.addAll
) will modify the original list
} | ||
|
||
if (conf.get(HighAvailabilityConf.HA_ZK_ACL_ENABLED) && | ||
conf.get(HighAvailabilityConf.HA_ZK_ENGINE_REF_ID).isEmpty) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ulysses-you does this sufficient to distinguish between the server side and the engine side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don’t seem to find other ways to distinguish server and engine, or use main class to distinguish.
… turned on ### _Why are the changes needed?_ #1176 When `kyuubi.ha.zookeeper.acl.enabled=true`, both service and engine will use zookeeper acl to create znode, but engine has no keytab information and cannot write information to zookeeper, throwing an exception. ```java Caused by: org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = InvalidACL for /kyuubi_USER/XXXX at org.apache.zookeeper.KeeperException.create(KeeperException.java:124) at org.apache.zookeeper.KeeperException.create(KeeperException.java:54) at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:792) at org.apache.kyuubi.shade.org.apache.curator.framework.imps.CreateBuilderImpl$11.call(CreateBuilderImpl.java:740) ``` ### _How was this patch tested?_ - [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [x] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #1177 from cxzl25/KYUUBI-1176. Closes #1176 ecc08fa [sychen] fix engine acl 0b7cc2e [sychen] fix InvalidACL Authored-by: sychen <sychen@trip.com> Signed-off-by: Kent Yao <yao@apache.org> (cherry picked from commit d332534) Signed-off-by: Kent Yao <yao@apache.org>
thanks, merged to master/1.3 |
val HA_ZK_ACL_ENGINE_ENABLED: ConfigEntry[Boolean] = | ||
buildConf("ha.zookeeper.acl.engine.enabled") | ||
.doc("Set to true if the zookeeper ensemble is kerberized at engine side.") | ||
.version("1.4.0") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cxzl25 sorry for the late, can we send a followup change the version to 1.3.1 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #1193
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
branch-1.3
lacks HA_ZK_ENGINE_REF_ID
configuration to distinguish between service and engine.
It should be compilation failure now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, seems branch-1.3 would fail. Can you send a PR target to branch-1.3 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean to merge #1032 into branch-1.3
? And change the version of ha.engine.ref.id
to 1.3.1
….enabled) version #1177 ### _Why are the changes needed?_ change configuration(ha.zookeeper.acl.engine.enabled) version to `1.3.1` ### _How was this patch tested?_ - [] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [] Add screenshots for manual tests if appropriate - [] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #1193 from cxzl25/KYUUBI-1176-followup. Closes #1176 72753ae [sychen] change config version Authored-by: sychen <sychen@trip.com> Signed-off-by: ulysses-you <ulyssesyou@apache.org>
….enabled) version #1177 ### _Why are the changes needed?_ change configuration(ha.zookeeper.acl.engine.enabled) version to `1.3.1` ### _How was this patch tested?_ - [] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [] Add screenshots for manual tests if appropriate - [] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #1193 from cxzl25/KYUUBI-1176-followup. Closes #1176 72753ae [sychen] change config version Authored-by: sychen <sychen@trip.com> Signed-off-by: ulysses-you <ulyssesyou@apache.org> (cherry picked from commit 464fdf4) Signed-off-by: ulysses-you <ulyssesyou@apache.org>
Change milestone to 1.4.0, see #1221 |
Why are the changes needed?
#1176
When
kyuubi.ha.zookeeper.acl.enabled=true
, both service and engine will use zookeeper acl to create znode, but engine has no keytab information and cannot write information to zookeeper, throwing an exception.How was this patch tested?
Add some test cases that check the changes thoroughly including negative and positive cases if possible
Add screenshots for manual tests if appropriate
Run test locally before make a pull request