Uploaded image for project: 'Accumulo'
  1. Accumulo
  2. ACCUMULO-4488

fix gaps in user manual section on Kerberos for clients

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.7.1, 1.7.2
    • Fix Version/s: 1.7.3, 1.8.1, 2.0.0
    • Component/s: docs
    • Labels:
      None

      Description

      clean up several gaps in the docs that I stumbled on while setting up a cluster with kerberos for clients:

      • document setting up a superuser on an existing system that's enabling kerberos
      • include example of verifying access for the superuser
      • per-user client configuration gives wrong filename
      • per-user client configuration required additions for kerberos missing rpc.sasl.qop
      • document trace.token.property.keytab
      • note required permissions for trace user (Table.READ, Table.WRITE, Table.ALTER_TABLE)
      1. ACCUMULO-4488.1.patch
        11 kB
        Sean Busbey
      2. ACCUMULO-4488.2.patch
        11 kB
        Sean Busbey

        Activity

        Hide
        busbey Sean Busbey added a comment -

        -01

        • suggested changes
        • skipped the permissions for the trace user, since it's not really kerberos related
        • added troubleshooting section for when the Monitor doesn't have a trace keytab.
        Show
        busbey Sean Busbey added a comment - -01 suggested changes skipped the permissions for the trace user, since it's not really kerberos related added troubleshooting section for when the Monitor doesn't have a trace keytab.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        -1 pre-patch 0m 0s JAVA_HOME is not defined.



        Subsystem Report/Notes
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12831987/ACCUMULO-4488.1.patch
        JIRA Issue ACCUMULO-4488
        Optional Tests asflicense javac javadoc unit
        uname Linux asf909.gq1.ygridcore.net 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /home/jenkins/jenkins-slave/workspace/PreCommit-ACCUMULO-Build/test_framework/yetus-0.3.0/lib/precommit/personality/accumulo.sh
        git revision master / 1c218de
        Console output https://builds.apache.org/job/PreCommit-ACCUMULO-Build/49/console
        Powered by Apache Yetus 0.3.0 http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment -1 pre-patch 0m 0s JAVA_HOME is not defined. Subsystem Report/Notes JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12831987/ACCUMULO-4488.1.patch JIRA Issue ACCUMULO-4488 Optional Tests asflicense javac javadoc unit uname Linux asf909.gq1.ygridcore.net 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /home/jenkins/jenkins-slave/workspace/PreCommit-ACCUMULO-Build/test_framework/yetus-0.3.0/lib/precommit/personality/accumulo.sh git revision master / 1c218de Console output https://builds.apache.org/job/PreCommit-ACCUMULO-Build/49/console Powered by Apache Yetus 0.3.0 http://yetus.apache.org This message was automatically generated.
        Hide
        mdrob Mike Drob added a comment - - edited

        +Note that on an existing cluster the server side changes will a full cluster shutdown and restart. You should

        Missing a word.

        +- version: 1.7.2

        I was going to ask if this should be 1.8.0, but spot checking our docs we are not consistent on this at all.

        +*A*: This indicates that the Monitor has not been able to successfully log in a client-side user to read from the +trace+ table. Accumulo allows the TraceServer to rely on the property +general.kerberos.keytab+ as a fallback when logging in the trace user if the +trace.token.property.keytab+ property isn't defined. Some earlier versions of Accumulo did not do this same fallback for the Monitor's use of the trace user. The end result is that if you just configure +general.kerberos.keytab+ you will end up with a system that properly logs trace information but can't view it.
        

        nit: remove "just"

        Show
        mdrob Mike Drob added a comment - - edited +Note that on an existing cluster the server side changes will a full cluster shutdown and restart. You should Missing a word. +- version: 1.7.2 I was going to ask if this should be 1.8.0, but spot checking our docs we are not consistent on this at all. +*A*: This indicates that the Monitor has not been able to successfully log in a client-side user to read from the +trace+ table. Accumulo allows the TraceServer to rely on the property +general.kerberos.keytab+ as a fallback when logging in the trace user if the +trace.token.property.keytab+ property isn't defined. Some earlier versions of Accumulo did not do this same fallback for the Monitor's use of the trace user. The end result is that if you just configure +general.kerberos.keytab+ you will end up with a system that properly logs trace information but can't view it. nit: remove "just"
        Hide
        busbey Sean Busbey added a comment -

        -02

        • Address Mike Drob's feedback
        • fix use of headlines when I meant numbered list.
        Show
        busbey Sean Busbey added a comment - -02 Address Mike Drob 's feedback fix use of headlines when I meant numbered list.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        -1 pre-patch 0m 0s JAVA_HOME is not defined.



        Subsystem Report/Notes
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12832024/ACCUMULO-4488.2.patch
        JIRA Issue ACCUMULO-4488
        Optional Tests asflicense javac javadoc unit
        uname Linux asf909.gq1.ygridcore.net 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /home/jenkins/jenkins-slave/workspace/PreCommit-ACCUMULO-Build/test_framework/yetus-0.3.0/lib/precommit/personality/accumulo.sh
        git revision master / 1c218de
        Console output https://builds.apache.org/job/PreCommit-ACCUMULO-Build/50/console
        Powered by Apache Yetus 0.3.0 http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment -1 pre-patch 0m 0s JAVA_HOME is not defined. Subsystem Report/Notes JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12832024/ACCUMULO-4488.2.patch JIRA Issue ACCUMULO-4488 Optional Tests asflicense javac javadoc unit uname Linux asf909.gq1.ygridcore.net 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /home/jenkins/jenkins-slave/workspace/PreCommit-ACCUMULO-Build/test_framework/yetus-0.3.0/lib/precommit/personality/accumulo.sh git revision master / 1c218de Console output https://builds.apache.org/job/PreCommit-ACCUMULO-Build/50/console Powered by Apache Yetus 0.3.0 http://yetus.apache.org This message was automatically generated.
        Hide
        mdrob Mike Drob added a comment -

        +1.

        Unrelated, can we disable Yetus until we get it fixed?

        Show
        mdrob Mike Drob added a comment - +1. Unrelated, can we disable Yetus until we get it fixed?
        Hide
        busbey Sean Busbey added a comment -

        pushed changes and updated user manual on website.

        Show
        busbey Sean Busbey added a comment - pushed changes and updated user manual on website.
        Hide
        elserj Josh Elser added a comment -

        Catching up: this looks great! Thanks for making these additions!

        Unrelated, can we disable Yetus until we get it fixed?

        I don't know of a way to do this. It would require an infra ask. Do you have cycles to get Yetus running again?

        Show
        elserj Josh Elser added a comment - Catching up: this looks great! Thanks for making these additions! Unrelated, can we disable Yetus until we get it fixed? I don't know of a way to do this. It would require an infra ask. Do you have cycles to get Yetus running again?
        Hide
        ctubbsii Christopher Tubbs added a comment -

        Reopening because the patch causes a generation bug. The item list in the "Administrative User" section of the kerberos chapter is broken. Line 273 starts a new item list, instead of the intended addition of a third item. This appears to be caused by the injection of a block level element inside a list.

        Show
        ctubbsii Christopher Tubbs added a comment - Reopening because the patch causes a generation bug. The item list in the "Administrative User" section of the kerberos chapter is broken. Line 273 starts a new item list, instead of the intended addition of a third item. This appears to be caused by the injection of a block level element inside a list.
        Hide
        mdrob Mike Drob added a comment -

        Do you have cycles to get Yetus running again?

        Sure don't!

        Show
        mdrob Mike Drob added a comment - Do you have cycles to get Yetus running again? Sure don't!
        Hide
        busbey Sean Busbey added a comment -

        I'm pretty sure anyone with builds.a.o access can make the needed changes or disable it. I'll make a go at the former and do the latter if needed.

        Anyone know enough asciidoc to tell me how to correct the list issue?

        Show
        busbey Sean Busbey added a comment - I'm pretty sure anyone with builds.a.o access can make the needed changes or disable it. I'll make a go at the former and do the latter if needed. Anyone know enough asciidoc to tell me how to correct the list issue?
        Hide
        busbey Sean Busbey added a comment -

        Mike Drob, looks like Yetus should work again for precommits on jira. see the response on ACCUMULO-4489.

        Show
        busbey Sean Busbey added a comment - Mike Drob , looks like Yetus should work again for precommits on jira. see the response on ACCUMULO-4489 .
        Hide
        ctubbsii Christopher Tubbs added a comment -

        Not sure how to fix list issue. Spent a few minutes trying earlier. I think maybe just drop that last item from the list and turn it into a post-list paragraph. Either that, or move the block outside the list.

        Show
        ctubbsii Christopher Tubbs added a comment - Not sure how to fix list issue. Spent a few minutes trying earlier. I think maybe just drop that last item from the list and turn it into a post-list paragraph. Either that, or move the block outside the list.
        Hide
        ctubbsii Christopher Tubbs added a comment -

        Or we just turn it into two bulleted lists, so the breakup doesn't matter.

        Show
        ctubbsii Christopher Tubbs added a comment - Or we just turn it into two bulleted lists, so the breakup doesn't matter.
        Hide
        elserj Josh Elser added a comment -

        oh, did you fix it?

        Show
        elserj Josh Elser added a comment - oh, did you fix it?
        Hide
        elserj Josh Elser added a comment -

        Fixing this now.

        Show
        elserj Josh Elser added a comment - Fixing this now.
        Hide
        elserj Josh Elser added a comment -

        Fixed the list issue. Re-closing.

        Show
        elserj Josh Elser added a comment - Fixed the list issue. Re-closing.
        Hide
        busbey Sean Busbey added a comment -

        Thanks Josh!

        Show
        busbey Sean Busbey added a comment - Thanks Josh!
        Hide
        busbey Sean Busbey added a comment -

        oh, did you fix it?

        yeah, it ended up just being a matter of removing some attempts to set a different JAVA_HOME from the one that came in with the job.

        Show
        busbey Sean Busbey added a comment - oh, did you fix it? yeah, it ended up just being a matter of removing some attempts to set a different JAVA_HOME from the one that came in with the job.
        Hide
        elserj Josh Elser added a comment -

        Wonderful. Thank you so much for doing that!

        Show
        elserj Josh Elser added a comment - Wonderful. Thank you so much for doing that!

          People

          • Assignee:
            busbey Sean Busbey
            Reporter:
            busbey Sean Busbey
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0h
              0h
              Logged:
              Time Spent - 1h
              1h

                Development