You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2016/08/18 22:29:20 UTC

[jira] [Commented] (ACCUMULO-4415) Tracer requires instance.secret

    [ https://issues.apache.org/jira/browse/ACCUMULO-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427285#comment-15427285 ] 

Josh Elser commented on ACCUMULO-4415:
--------------------------------------

bq. The tracer does not use the Accumulo system credentials, and instead uses a specific tracer username and password. It should also not use the instance.secret (which is for the system credentials).

Right now, our API would send data to any tracer registered in ZK. If we remove the ACL on the tracers node, doesn't that mean I could start a tracer and start "stealing" metrics? Assuming I understand this correctly, is this a concern? There may be sensitive data in the tags for the metrics element, no?

> Tracer requires instance.secret
> -------------------------------
>
>                 Key: ACCUMULO-4415
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4415
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Christopher Tubbs
>
> Tracer incorrectly uses instance.secret for its /tracers area in ZooKeeper.
> The tracer does not use the Accumulo system credentials, and instead uses a specific tracer username and password. It should also not use the instance.secret (which is for the system credentials).
> A side effect of this bug is that ChangeSecret does not update the /tracers ACLs in ZooKeeper, preventing the tracer from working entirely after the instance.secret is changed.
> The following error will be seen in the monitor after the ChangeSecret tool is run.
> {code}
> Thread 'tracer' died.
> 	org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /tracers/trace-
> 		at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> 		at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> 		at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> 		at org.apache.accumulo.fate.zookeeper.ZooUtil.putEphemeralSequential(ZooUtil.java:464)
> 		at org.apache.accumulo.fate.zookeeper.ZooReaderWriter.putEphemeralSequential(ZooReaderWriter.java:99)
> 		at org.apache.accumulo.tracer.TraceServer.registerInZooKeeper(TraceServer.java:318)
> 		at org.apache.accumulo.tracer.TraceServer.<init>(TraceServer.java:255)
> 		at org.apache.accumulo.tracer.TraceServer.main(TraceServer.java:360)
> 		at org.apache.accumulo.tracer.TracerExecutable.execute(TracerExecutable.java:33)
> 		at org.apache.accumulo.start.Main$1.run(Main.java:120)
> 		at java.lang.Thread.run(Thread.java:745)
> {code}
> This affects at least the current 1.8 branch (1.8.0-SNAPSHOT), but I haven't checked earlier versions.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)