You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Grant Henke (Code Review)" <ge...@cloudera.org> on 2021/05/23 21:35:31 UTC

[kudu-CR] [txns] Authorization error when running transactional workload in secure tests 

Grant Henke has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17490


Change subject: [txns] Authorization error when running transactional workload in secure tests
......................................................................

[txns] Authorization error when running transactional workload in secure tests

This is a small patch to show a test issue I have seen when trying to write
a test for another patch. Pushing for visibility, will update the message
once the issue is identified and a fix is applied.

Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
---
M src/kudu/integration-tests/security-itest.cc
1 file changed, 22 insertions(+), 4 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/90/17490/1
-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 1
Gerrit-Owner: Grant Henke <gr...@apache.org>

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Patch Set 3:

> Thank you for fixing this.
 > 
 > I guess we will also need to make sure TxnManager is able to create
 > new ranges and write into tables/tablets.  I'll take a look at that
 > -- we can add corresponding permissions for methods in
 > TabletServerService in a separate changelist.

I took a look at that and it seems TxnManager uses regular MasterService::AlterTable() RPC which already has "AuthorizeClientOrServiceUser"


-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 3
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 May 2021 16:58:41 +0000
Gerrit-HasComments: No

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17490

to look at the new patch set (#3).

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................

[txns] Allow the TxnSystemClient to run in Authorized environments

When writing a test that runs the TxnSystemClient in an authorized
environment I saw issues where the TxnSystemClient could not
be initialized due to being unauthorized. It turns out that there
are many remote methods that the service user is not authorized
to call. This patch fixes the issue by updating the various required
calls to also allow the service user. I also enhanced a test to leverage
transactions in security-itest.cc

Here is a sample error I saw before this change:
W0524 08:57:12.618356 216932352 server_base.cc:694] Unauthorized access attempt to method kudu.master.MasterService.ConnectToMaster from {username='kudu', principal='kudu/127.0.0.1@KRBTEST.COM'} at 127.0.0.1:51639
W0524 08:57:12.618837 94556160 txn_system_client.cc:478] unable to initialize TxnSystemClient, will retry in 1.000s: Remote error: Could not connect to the cluster: Not authorized: unauthorized access to method: ConnectToMaster

Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
---
M src/kudu/integration-tests/security-itest.cc
M src/kudu/master/master.proto
2 files changed, 28 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/90/17490/3
-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 3
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.
Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Patch Set 3:

Looks like I need to fix up a few tests that depended on the bad behavior


-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 3
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 May 2021 16:50:52 +0000
Gerrit-HasComments: No

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Patch Set 4: Verified+1

unrelated test failure in DeleteTableITest.TestAutoTombstoneAfterCrashDuringTabletCopy


-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 4
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 May 2021 21:16:54 +0000
Gerrit-HasComments: No

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Patch Set 3: Code-Review+2

Nice find!


-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 3
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 May 2021 16:42:26 +0000
Gerrit-HasComments: No

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Patch Set 3: Code-Review+2

Thank you for fixing this.

I guess we will also need to make sure TxnManager is able to create new ranges and write into tables/tablets.  I'll take a look at that -- we can add corresponding permissions for methods in TabletServerService in a separate changelist.


-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 3
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 May 2021 16:44:38 +0000
Gerrit-HasComments: No

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has removed a vote on this change.

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Removed Verified-1 by Kudu Jenkins (120)
-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 4
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................

[txns] Allow the TxnSystemClient to run in Authorized environments

When writing a test that runs the TxnSystemClient in an authorized
environment I saw issues where the TxnSystemClient could not
be initialized due to being unauthorized. It turns out that there
are many remote methods that the service user is not authorized
to call. This patch fixes the issue by updating the various required
calls to also allow the service user. I also enhanced a test to leverage
transactions in security-itest.cc

Here is a sample error I saw before this change:
W0524 08:57:12.618356 216932352 server_base.cc:694] Unauthorized access attempt to method kudu.master.MasterService.ConnectToMaster from {username='kudu', principal='kudu/127.0.0.1@KRBTEST.COM'} at 127.0.0.1:51639
W0524 08:57:12.618837 94556160 txn_system_client.cc:478] unable to initialize TxnSystemClient, will retry in 1.000s: Remote error: Could not connect to the cluster: Not authorized: unauthorized access to method: ConnectToMaster

Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Reviewed-on: http://gerrit.cloudera.org:8080/17490
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: Grant Henke <gr...@apache.org>
---
M src/kudu/client/client-test.cc
M src/kudu/integration-tests/security-itest.cc
M src/kudu/integration-tests/txn_status_table-itest.cc
M src/kudu/master/master.proto
4 files changed, 64 insertions(+), 20 deletions(-)

Approvals:
  Alexey Serbin: Verified
  Grant Henke: Looks good to me, approved

-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 5
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.
Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................


Patch Set 4: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 4
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Comment-Date: Mon, 24 May 2021 21:33:39 +0000
Gerrit-HasComments: No

[kudu-CR] [txns] Authorization error when running transactional workload in secure tests

Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.
Hello Tidy Bot, Kudu Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17490

to look at the new patch set (#2).

Change subject: [txns] Authorization error when running transactional workload in secure tests
......................................................................

[txns] Authorization error when running transactional workload in secure tests

This is a small patch to show a test issue I have seen when trying to write
a test for another patch. Pushing for visibility, will update the message
once the issue is identified and a fix is applied.

Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
---
M src/kudu/integration-tests/security-itest.cc
M src/kudu/mini-cluster/external_mini_cluster.cc
2 files changed, 23 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/90/17490/2
-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 2
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

[kudu-CR] [txns] Allow the TxnSystemClient to run in Authorized environments

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has uploaded a new patch set (#4) to the change originally created by Grant Henke. ( http://gerrit.cloudera.org:8080/17490 )

Change subject: [txns] Allow the TxnSystemClient to run in Authorized environments
......................................................................

[txns] Allow the TxnSystemClient to run in Authorized environments

When writing a test that runs the TxnSystemClient in an authorized
environment I saw issues where the TxnSystemClient could not
be initialized due to being unauthorized. It turns out that there
are many remote methods that the service user is not authorized
to call. This patch fixes the issue by updating the various required
calls to also allow the service user. I also enhanced a test to leverage
transactions in security-itest.cc

Here is a sample error I saw before this change:
W0524 08:57:12.618356 216932352 server_base.cc:694] Unauthorized access attempt to method kudu.master.MasterService.ConnectToMaster from {username='kudu', principal='kudu/127.0.0.1@KRBTEST.COM'} at 127.0.0.1:51639
W0524 08:57:12.618837 94556160 txn_system_client.cc:478] unable to initialize TxnSystemClient, will retry in 1.000s: Remote error: Could not connect to the cluster: Not authorized: unauthorized access to method: ConnectToMaster

Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
---
M src/kudu/client/client-test.cc
M src/kudu/integration-tests/security-itest.cc
M src/kudu/integration-tests/txn_status_table-itest.cc
M src/kudu/master/master.proto
4 files changed, 64 insertions(+), 20 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/90/17490/4
-- 
To view, visit http://gerrit.cloudera.org:8080/17490
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I4622586fc27b5b67005bf023e4fbaebaf5454ad0
Gerrit-Change-Number: 17490
Gerrit-PatchSet: 4
Gerrit-Owner: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)