[KYUUBI #1176] InvalidACL appears in the engine when zookeeper acl is turned on #1177
Conversation
Current
Fix
|
Codecov Report
@@ Coverage Diff @@
## master #1177 +/- ##
============================================
+ Coverage 78.79% 78.84% +0.04%
Complexity 93 93
============================================
Files 182 182
Lines 6654 6683 +29
Branches 785 784 -1
============================================
+ Hits 5243 5269 +26
- Misses 961 966 +5
+ Partials 450 448 -2
Continue to review full report at Codecov.
|
| @@ -48,14 +49,18 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) { | |||
|
|
|||
| val username = Option(user).filter(_.nonEmpty).getOrElse("anonymous") | |||
|
|
|||
| val sessionConf = this.getConf.getUserDefaults(user) | |||
| if (!sessionConf.get(HA_ZK_ACL_ENGINE_ENABLED)) { | |||
There was a problem hiding this comment.
It‘s a bit hacky, can we use HA_ZK_ACL_ENGINE_ENABLED at the caller side?
There was a problem hiding this comment.
Move to ZooKeeperACLProvider
| val acl1 = new ZooKeeperACLProvider(conf1).getDefaultAcl | ||
| assert(acl1.size() === 2) | ||
| val expected = ZooDefs.Ids.READ_ACL_UNSAFE | ||
| expected.addAll(ZooDefs.Ids.CREATOR_ALL_ACL) |
There was a problem hiding this comment.
This (expected.addAll) will modify the original list
| } | ||
|
|
||
| if (conf.get(HighAvailabilityConf.HA_ZK_ACL_ENABLED) && | ||
| conf.get(HighAvailabilityConf.HA_ZK_ENGINE_REF_ID).isEmpty) { |
There was a problem hiding this comment.
@ulysses-you does this sufficient to distinguish between the server side and the engine side?
There was a problem hiding this comment.
I don’t seem to find other ways to distinguish server and engine, or use main class to distinguish.
… turned on ### _Why are the changes needed?_ #1176 When `kyuubi.ha.zookeeper.acl.enabled=true`, both service and engine will use zookeeper acl to create znode, but engine has no keytab information and cannot write information to zookeeper, throwing an exception. ```java Caused by: org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = InvalidACL for /kyuubi_USER/XXXX at org.apache.zookeeper.KeeperException.create(KeeperException.java:124) at org.apache.zookeeper.KeeperException.create(KeeperException.java:54) at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:792) at org.apache.kyuubi.shade.org.apache.curator.framework.imps.CreateBuilderImpl$11.call(CreateBuilderImpl.java:740) ``` ### _How was this patch tested?_ - [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [x] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #1177 from cxzl25/KYUUBI-1176. Closes #1176 ecc08fa [sychen] fix engine acl 0b7cc2e [sychen] fix InvalidACL Authored-by: sychen <sychen@trip.com> Signed-off-by: Kent Yao <yao@apache.org> (cherry picked from commit d332534) Signed-off-by: Kent Yao <yao@apache.org>
|
thanks, merged to master/1.3 |
| val HA_ZK_ACL_ENGINE_ENABLED: ConfigEntry[Boolean] = | ||
| buildConf("ha.zookeeper.acl.engine.enabled") | ||
| .doc("Set to true if the zookeeper ensemble is kerberized at engine side.") | ||
| .version("1.4.0") |
There was a problem hiding this comment.
@cxzl25 sorry for the late, can we send a followup change the version to 1.3.1 ?
There was a problem hiding this comment.
branch-1.3 lacks HA_ZK_ENGINE_REF_ID configuration to distinguish between service and engine.
It should be compilation failure now?
There was a problem hiding this comment.
good point, seems branch-1.3 would fail. Can you send a PR target to branch-1.3 ?
There was a problem hiding this comment.
Do you mean to merge #1032 into branch-1.3? And change the version of ha.engine.ref.id to 1.3.1
….enabled) version #1177 ### _Why are the changes needed?_ change configuration(ha.zookeeper.acl.engine.enabled) version to `1.3.1` ### _How was this patch tested?_ - [] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [] Add screenshots for manual tests if appropriate - [] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #1193 from cxzl25/KYUUBI-1176-followup. Closes #1176 72753ae [sychen] change config version Authored-by: sychen <sychen@trip.com> Signed-off-by: ulysses-you <ulyssesyou@apache.org>
….enabled) version #1177 ### _Why are the changes needed?_ change configuration(ha.zookeeper.acl.engine.enabled) version to `1.3.1` ### _How was this patch tested?_ - [] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [] Add screenshots for manual tests if appropriate - [] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #1193 from cxzl25/KYUUBI-1176-followup. Closes #1176 72753ae [sychen] change config version Authored-by: sychen <sychen@trip.com> Signed-off-by: ulysses-you <ulyssesyou@apache.org> (cherry picked from commit 464fdf4) Signed-off-by: ulysses-you <ulyssesyou@apache.org>
|
Change milestone to 1.4.0, see #1221 |
Why are the changes needed?
#1176
When
kyuubi.ha.zookeeper.acl.enabled=true, both service and engine will use zookeeper acl to create znode, but engine has no keytab information and cannot write information to zookeeper, throwing an exception.How was this patch tested?
Add some test cases that check the changes thoroughly including negative and positive cases if possible
Add screenshots for manual tests if appropriate
Run test locally before make a pull request