You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mesos.apache.org by "John Sirois (JIRA)" <ji...@apache.org> on 2012/07/09 02:05:34 UTC
[jira] [Commented] (MESOS-229) mesos zookeeper group code fails to
connect when pre-existing children of the group path are read-only
[ https://issues.apache.org/jira/browse/MESOS-229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13409111#comment-13409111 ]
John Sirois commented on MESOS-229:
-----------------------------------
The workaround we have in place that is suboptimal from a security point of view iso to change the tree perms to:
/ world:anyone:r,digest:mesos:XXX:cr
/home world:anyone:r,digest:mesos:XXX:cr
/home/mesos world:anyone:r,digest:mesos:XXX:cdrwa
> mesos zookeeper group code fails to connect when pre-existing children of the group path are read-only
> ------------------------------------------------------------------------------------------------------
>
> Key: MESOS-229
> URL: https://issues.apache.org/jira/browse/MESOS-229
> Project: Mesos
> Issue Type: Bug
> Components: master
> Affects Versions: 0.9.0
> Reporter: John Sirois
>
> We have a locked down zk tree as follows:
> / world:anyone:r
> /home world:anyone:r
> /home/mesos world:anyone:r,digest:mesos:XXX:cdrwa
> ...
> This causes the mesos GroupProcess::connected code to fail as follows attempting to establish pre-existing path /home/mesos/prod/master for the master contender:
> {code}
> 2012-07-08 23:25:36,322:60909(0x4d50e940):ZOO_INFO@check_events@1632: session establishment complete on server [10.40.93.122:2181], sessionId=0x43836278f888947, negotiated timeout=10000
> 2012-07-08 23:25:36,322:60909(0x4d50e940):ZOO_DEBUG@check_events@1638: Calling a watcher for a ZOO_SESSION_EVENT and the state=ZOO_CONNECTED_STATE
> 2012-07-08 23:25:36,322:60909(0x4dd0f940):ZOO_DEBUG@process_completions@1765: Calling a watcher for node [], type = -1 event=ZOO_SESSION_EVENT
> I0708 23:25:36.322985 60928 detector.cpp:286] Master detector connected to ZooKeeper ...
> I0708 23:25:36.323076 60928 detector.cpp:292] Authenticating to ZooKeeper using scheme 'digest'
> 2012-07-08 23:25:36,323:60909(0x49d07940):ZOO_DEBUG@send_last_auth_info@1265: Sending auth info request to 10.40.93.122:2181
> I0708 23:25:36.329813 60937 webui_utils.cpp:49] Loading webui script at '/usr/local/share/mesos/webui/master/webui.py'
> 2012-07-08 23:25:39,656:60909(0x4d50e940):ZOO_DEBUG@zookeeper_process@1933: Processing AUTH_XID
> 2012-07-08 23:25:39,656:60909(0x4d50e940):ZOO_INFO@auth_completion_func@1198: Authentication scheme digest succeeded
> 2012-07-08 23:25:39,656:60909(0x4d50e940):ZOO_DEBUG@zookeeper_process@1983: Got ping response in 0 ms
> I0708 23:25:39.657078 60928 detector.cpp:314] Trying to create znode '/home' in ZooKeeper
> 2012-07-08 23:25:39,657:60909(0x49d07940):ZOO_DEBUG@zoo_acreate@2503: Sending request xid=0x4ffa16f1 for path [/home] to 10.40.93.122:2181
> 2012-07-08 23:25:39,659:60909(0x4d50e940):ZOO_DEBUG@zookeeper_process@1989: Queueing asynchronous response
> 2012-07-08 23:25:39,659:60909(0x4dd0f940):ZOO_DEBUG@process_completions@1817: Calling COMPLETION_STRING for xid=0x4ffa16f1 rc=-102
> Failed to create ZooKeeper znode: not authenticated (../../src/detector/detector.cpp:320)
> {code}
> The end observable behavior of GroupProcess::connected code should ideally ensure the path exists and attempt to create nodes if they do not exist. The current behavior is that GroupProcess::connected will refuse to use paths with read-only root nodes even if the leaf node it needs to manage a group is writable.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira