You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by justinleet <gi...@git.apache.org> on 2017/04/27 12:11:51 UTC
[GitHub] incubator-metron pull request #553: METRON-896: Document Having Kerberos Iss...
GitHub user justinleet opened a pull request:
https://github.com/apache/incubator-metron/pull/553
METRON-896: Document Having Kerberos Issue Renewable Tickets
## Contributor Comments
Added a couple lines to the doc about setting up tickets as renewable, if they aren't already.
See: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html, specifically max_renewable_life may have to be set to a nonzero value. Interestingly, full dev doesn't care, but an actual (non-AWS) cluster did care. I'm guessing this is related to some version or OS differences or something, but I'm not entirely sure.
Also added a couple lines to both manual and full dev docs about how to verify a ticket is renewable, and how to modify the principals to add the appropriate flags if needed.
Given that it's potentially a versioning type thing, and the solutions are Kerberos specific issues, I don't know how much of a test plan we need/want to repeat it. We're giving KDC instructions as a convenience, not supporting the KDC itself. To me, this feels like a best-effort type attempt to address issues. If we feel that way as a group, I'd be interested in if anyone wants to modify or update the READMEs to reflect that a bit better. Otherwise, coming up with a test plan may be a pain, because we'd have to track down the actual root versioning cause.
I've also included a formatting fix to the docs from while I was in the area. The newline didn't show up properly in triple backticks in the maven site output.
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions.
Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
### For code changes:
- [ ] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
See comments above. I'm personally inclined to consider this a best effort attempt to provide a solution to a KDC configuration issue.
- [ ] Have you included steps or a guide to how the change may be verified and tested manually?
See comments above. I'm personally inclined to consider this a best effort attempt to provide a solution to a KDC configuration issue.
- [x] Have you ensured that the full suite of tests and checks have been executed in the root incubating-metron folder via:
```
mvn -q clean integration-test install && build_utils/verify_licenses.sh
```
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`:
```
cd site-book
bin/generate-md.sh
mvn site:site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/justinleet/incubator-metron METRON-896
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/553.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #553
----
commit 11a24cb1fccc3e83bde545c17b925a36caa059cd
Author: justinjleet <ju...@gmail.com>
Date: 2017-04-27T11:52:29Z
Adding notes about renewable tickets to the docs
commit 512c556234381109f0ca0483bc2d35692a60e31f
Author: justinjleet <ju...@gmail.com>
Date: 2017-04-27T12:04:14Z
Fix to the formatting
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
Do you have a preference which ticket we close as a dupe? I can pretty easily rename my PR if we want to use yours.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron pull request #553: METRON-896: Document Having Kerberos Iss...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/incubator-metron/pull/553
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
Looks like https://github.com/apache/incubator-metron/pull/554 cleans up a lot of things. I'll wait for that to go in, then I'll adjust this PR and we'll revisit it.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
@cestella As a note, it looks like there's a regression in the docs (the vagrant install should be much, much shorter and limited to Ambari), so that needs to be cleaned up.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
Updated after merging in master, which included the README fixes as well as moving the Ambari instructions alongside the Manual instructions.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by cestella <gi...@git.apache.org>.
Github user cestella commented on the issue:
https://github.com/apache/incubator-metron/pull/553
Why do we have 2 separate kerberos docs at this point? Can we get rid of the vagrant one or is there a difference there?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
@nickwallen My bad, apparently I didn't refresh Jira and didn't see the ticket. I'll migrate the info over, and add the relevant snippet to the docs.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron pull request #553: METRON-896: Document Having Kerberos Iss...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet closed the pull request at:
https://github.com/apache/incubator-metron/pull/553
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by nickwallen <gi...@git.apache.org>.
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/553
Oops. I thought you had wanted me to take this. I already created METRON-895. Please at least grab the diagnostic log information that I have added to METRON-895 and add to your METRON-896 so that users can identify when this is an issue for them.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by nickwallen <gi...@git.apache.org>.
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/553
+1 Looks good. Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
Imo, the vagrant one should be moved up to the level of the manual one, and just made to be the Ambari Kerberos doc with any notes for full dev.
Combining them is kind of a pain in the butt, since there's the whole giant set of manual steps that aren't relevant to anything Ambari. It's just annoying to deal with because a couple of steps are similar but not quite the same, etc.
If we want to go ahead and roll that change into this, I can go ahead and do that.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron pull request #553: METRON-896: Document Having Kerberos Iss...
Posted by justinleet <gi...@git.apache.org>.
GitHub user justinleet reopened a pull request:
https://github.com/apache/incubator-metron/pull/553
METRON-896: Document Having Kerberos Issue Renewable Tickets
## Contributor Comments
Added a couple lines to the doc about setting up tickets as renewable, if they aren't already.
See: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html, specifically max_renewable_life may have to be set to a nonzero value. Interestingly, full dev doesn't care, but an actual (non-AWS) cluster did care. I'm guessing this is related to some version or OS differences or something, but I'm not entirely sure.
Also added a couple lines to both manual and full dev docs about how to verify a ticket is renewable, and how to modify the principals to add the appropriate flags if needed.
Given that it's potentially a versioning type thing, and the solutions are Kerberos specific issues, I don't know how much of a test plan we need/want to repeat it. We're giving KDC instructions as a convenience, not supporting the KDC itself. To me, this feels like a best-effort type attempt to address issues. If we feel that way as a group, I'd be interested in if anyone wants to modify or update the READMEs to reflect that a bit better. Otherwise, coming up with a test plan may be a pain, because we'd have to track down the actual root versioning cause.
I've also included a formatting fix to the docs from while I was in the area. The newline didn't show up properly in triple backticks in the maven site output.
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions.
Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
### For code changes:
- [ ] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
See comments above. I'm personally inclined to consider this a best effort attempt to provide a solution to a KDC configuration issue.
- [ ] Have you included steps or a guide to how the change may be verified and tested manually?
See comments above. I'm personally inclined to consider this a best effort attempt to provide a solution to a KDC configuration issue.
- [x] Have you ensured that the full suite of tests and checks have been executed in the root incubating-metron folder via:
```
mvn -q clean integration-test install && build_utils/verify_licenses.sh
```
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`:
```
cd site-book
bin/generate-md.sh
mvn site:site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/justinleet/incubator-metron METRON-896
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/553.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #553
----
commit 11a24cb1fccc3e83bde545c17b925a36caa059cd
Author: justinjleet <ju...@gmail.com>
Date: 2017-04-27T11:52:29Z
Adding notes about renewable tickets to the docs
commit 512c556234381109f0ca0483bc2d35692a60e31f
Author: justinjleet <ju...@gmail.com>
Date: 2017-04-27T12:04:14Z
Fix to the formatting
commit 24b0f5de981012dfccc1ce3d59993c47a8047b17
Author: justinjleet <ju...@gmail.com>
Date: 2017-04-27T12:27:10Z
Adding a note about the specific error seen
commit ad5f63b6d21762f57b9cc74649d98e8886dda562
Author: justinleet <ju...@gmail.com>
Date: 2017-04-27T12:59:37Z
Removing a couple extra newlines
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by justinleet <gi...@git.apache.org>.
Github user justinleet commented on the issue:
https://github.com/apache/incubator-metron/pull/553
To elaborate on the regression comment:
The vagrant Kerberos steps have all the manual steps added back in. They should largely be removed, barring any profiler ACL setup.
The manual Kerberos setup is fine (or should be), and can pretty much be left as-is.
Like I said above, IMO we move the Ambari Kerberos to the same level and just make any notes regarding the dev environments specifically.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #553: METRON-896: Document Having Kerberos Issue Rene...
Posted by nickwallen <gi...@git.apache.org>.
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/553
No preference as long as it has the log output. Please close whatever one is the dup. Thanks for doc'ing this. Nice job figuring this one out too!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---