You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by GitBox <gi...@apache.org> on 2020/12/22 05:13:30 UTC
[GitHub] [storm] Ethanlm opened a new pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Ethanlm opened a new pull request #3367:
URL: https://github.com/apache/storm/pull/3367
## What is the purpose of the change
Described in https://issues.apache.org/jira/browse/STORM-3728. Workers have issue connecting to pacemaker when pacemaker.auth.method is KERBEROS
## How was the change tested
This issue is easy to reproduce when pacemaker is set up with Kerberos and `pacemaker.auth.method` set to `KERBEROS`.
Applied this change and validated that workers can heartbeat to Pacemakers properly.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [storm] Ethanlm commented on a change in pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Posted by GitBox <gi...@apache.org>.
Ethanlm commented on a change in pull request #3367:
URL: https://github.com/apache/storm/pull/3367#discussion_r547517421
##########
File path: storm-client/src/jvm/org/apache/storm/daemon/worker/Worker.java
##########
@@ -121,6 +121,10 @@ public Worker(Map<String, Object> conf, IContext context, String topologyId, Str
this.topologyConf = ConfigUtils.overrideLoginConfigWithSystemProperty(ConfigUtils.readSupervisorStormConf(conf, topologyId));
+ // see STORM-3728.
Review comment:
It is a little more than that.
Currently no matter what value `pacemaker.auth.method` is, write to pacemaker is always allowed. see https://github.com/apache/storm/blob/master/docs/Pacemaker.md#security.
Workers only write to pacemaker, so it can be just "NONE".
So I figured to use a JIRA ID to explain it.
In the future, we want to
1) fix worker authentication with pacemaker
2) secure write access on pacemaker
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [storm] bipinprasad commented on a change in pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Posted by GitBox <gi...@apache.org>.
bipinprasad commented on a change in pull request #3367:
URL: https://github.com/apache/storm/pull/3367#discussion_r547552309
##########
File path: storm-client/src/jvm/org/apache/storm/daemon/worker/Worker.java
##########
@@ -121,6 +121,10 @@ public Worker(Map<String, Object> conf, IContext context, String topologyId, Str
this.topologyConf = ConfigUtils.overrideLoginConfigWithSystemProperty(ConfigUtils.readSupervisorStormConf(conf, topologyId));
+ // see STORM-3728.
Review comment:
Ok. That first line itself (or a short variant) is a good enough comment - "write to pacemaker is currently always allowed, ignores pacemaker.auth.method value"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [storm] Ethanlm commented on a change in pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Posted by GitBox <gi...@apache.org>.
Ethanlm commented on a change in pull request #3367:
URL: https://github.com/apache/storm/pull/3367#discussion_r547622503
##########
File path: storm-client/src/jvm/org/apache/storm/daemon/worker/Worker.java
##########
@@ -121,6 +121,10 @@ public Worker(Map<String, Object> conf, IContext context, String topologyId, Str
this.topologyConf = ConfigUtils.overrideLoginConfigWithSystemProperty(ConfigUtils.readSupervisorStormConf(conf, topologyId));
+ // see STORM-3728.
Review comment:
updated. Please check. Thanks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [storm] Ethanlm merged pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Posted by GitBox <gi...@apache.org>.
Ethanlm merged pull request #3367:
URL: https://github.com/apache/storm/pull/3367
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [storm] Ethanlm commented on a change in pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Posted by GitBox <gi...@apache.org>.
Ethanlm commented on a change in pull request #3367:
URL: https://github.com/apache/storm/pull/3367#discussion_r547517421
##########
File path: storm-client/src/jvm/org/apache/storm/daemon/worker/Worker.java
##########
@@ -121,6 +121,10 @@ public Worker(Map<String, Object> conf, IContext context, String topologyId, Str
this.topologyConf = ConfigUtils.overrideLoginConfigWithSystemProperty(ConfigUtils.readSupervisorStormConf(conf, topologyId));
+ // see STORM-3728.
Review comment:
It is a little more than that.
Currently no matter what value `pacemaker.auth.method` is, write to pacemaker is always allowed. see https://github.com/apache/storm/blob/master/docs/Pacemaker.md#security.
Workers only write to pacemaker, so it can be just "NONE".
So I figured to use a JIRA ID to explain it.
In the future, we want to
1) fix worker authentication with pacemaker
2) secure write access on pacemaker
I will see what comments I can add
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [storm] bipinprasad commented on a change in pull request #3367: [STORM-3728] Fix Worker LoginException issue with pacemaker when pacemaker.auth.method is KERBEROS
Posted by GitBox <gi...@apache.org>.
bipinprasad commented on a change in pull request #3367:
URL: https://github.com/apache/storm/pull/3367#discussion_r547487805
##########
File path: storm-client/src/jvm/org/apache/storm/daemon/worker/Worker.java
##########
@@ -121,6 +121,10 @@ public Worker(Map<String, Object> conf, IContext context, String topologyId, Str
this.topologyConf = ConfigUtils.overrideLoginConfigWithSystemProperty(ConfigUtils.readSupervisorStormConf(conf, topologyId));
+ // see STORM-3728.
Review comment:
Can this comment say something like: "When Pacemaker auth is set to Kerberos, unauthenticated writes are allowed"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org