HDDS-5123. Use the pre-created apache/ozone-testkrb5 image during secure acceptance tests #2165
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adoroszlai
reviewed
Apr 26, 2021
Contributor
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @elek for working on this improvement.
hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
Outdated
Show resolved
Hide resolved
hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-compose.yaml
Outdated
Show resolved
Hide resolved
hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-compose.yaml
Outdated
Show resolved
Hide resolved
| Kinit test user | ||
| [arguments] ${user} ${keytab} | ||
| ${hostname} = Execute hostname | ||
| ${hostname} = Execute hostname | sed 's/.org//' | sed 's/[0-9]//' |
Contributor
There was a problem hiding this comment.
I think ACLs like user:testuser2/${SCM}@EXAMPLE.COM need to be tweaked, too. With SCM HA they apply to testuser2/scm1, but this sed makes the test kinit with testuser2/scm.
This causes test failure:
Can follow link with read access | FAIL |
'PERMISSION_DENIED User testuser2/[email protected] doesn't have READ permission to access volume 84112-target null null' does not contain 'key-in-readable-bucket'
https://github.com/apache/ozone/runs/2400748407#step:6:1636
Contributor
There was a problem hiding this comment.
Thanks @elek for addressing my other comments. I think this one still needs to be done.
--- hadoop-ozone/dist/src/main/smoketest/basic/links.robot
+++ hadoop-ozone/dist/src/main/smoketest/basic/links.robot
@@ -42,11 +42,11 @@
Execute ozone sh bucket link ${source}/readable-bucket ${target}/readable-link
Execute ozone sh bucket link ${source}/readable-bucket ${target}/unreadable-link
Execute ozone sh bucket link ${source}/unreadable-bucket ${target}/link-to-unreadable-bucket
- Execute ozone sh volume addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:r ${target}
- Execute ozone sh volume addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:rl ${source}
- Execute ozone sh bucket addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:rl ${source}/readable-bucket
- Execute ozone sh bucket addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:r ${target}/readable-link
- Execute ozone sh bucket addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:r ${target}/link-to-unreadable-bucket
+ Execute ozone sh volume addacl --acl user:testuser2/[email protected]:r ${target}
+ Execute ozone sh volume addacl --acl user:testuser2/[email protected]:rl ${source}
+ Execute ozone sh bucket addacl --acl user:testuser2/[email protected]:rl ${source}/readable-bucket
+ Execute ozone sh bucket addacl --acl user:testuser2/[email protected]:r ${target}/readable-link
+ Execute ozone sh bucket addacl --acl user:testuser2/[email protected]:r ${target}/link-to-unreadable-bucket
Can follow link with read access
Execute kdestroy
adoroszlai
approved these changes
May 26, 2021
Contributor
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @elek for updating the patch.
Member
Author
|
The build is green, merging it now. Thanks, @adoroszlai the review. |
errose28
added a commit
to errose28/ozone
that referenced
this pull request
Jun 1, 2021
…ing-upgrade-master-merge * upstream/master: (76 commits) HDDS-5280. Make XceiverClientManager creation when necessary in ContainerOperationClient (apache#2289) HDDS-5272. Make ozonefs.robot execution repeatable (apache#2280) HDDS-5123. Use the pre-created apache/ozone-testkrb5 image during secure acceptance tests (apache#2165) HDDS-4993. Add guardrail for reserved buffer size when DN reads a chunk (apache#2058) HDDS-4936. Change ozone groupId from org.apache.hadoop to org.apache.ozone (apache#2018) HDDS-4043. allow deletion from Trash directory without -skipTrash option (apache#2110) HDDS-4927. Determine over and under utilized datanodes in Container Balancer. (apache#2230) HDDS-5273. Handle unsecure cluster convert to secure cluster for SCM. (apache#2281) HDDS-5158. Add documentation for SCM HA Security. (apache#2205) HDDS-5275. Datanode Report Publisher publishes one extra report after DN shutdown (apache#2283) HDDS-5241. SCM UI should have leader/follower and Primordial SCM information (apache#2260) HDDS-5219. Limit number of bad volumes by dfs.datanode.failed.volumes.tolerated. (apache#2243) HDDS-5252. PipelinePlacementPolicy filter out datanodes with not enough space. (apache#2271) HDDS-5191. Increase default pvc storage size (apache#2219) HDDS-5073. Use ReplicationConfig on client side (apache#2136) HDDS-5250. Build integration tests with Maven cache (apache#2269) HDDS-5236. Require block token for more operations (apache#2254) HDDS-5266 Misspelt words in S3MultipartUploadCommitPartRequest.java line 202 (apache#2279) HDDS-5249. Race Condition between Full and Incremental Container Reports (apache#2268) HDDS-5142. Make generic streaming client/service for container re-replication, data read, scm/om snapshot download (apache#2256) ... Conflicts: hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolClientSideTranslatorPB.java hadoop-hdds/interface-admin/src/main/proto/ScmAdminProtocol.proto hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/MockNodeManager.java hadoop-ozone/dist/src/main/compose/testlib.sh hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto hadoop-ozone/ozone-manager/pom.xml hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java hadoop-ozone/s3gateway/pom.xml
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Today ozonesecure compose clusters (and ozonesecure-ha and ozonesecure-mr) use an adhoc keytab issuer. The issuer is download during the image creation and uses a third party go lang application to create the keytabs on-demand.
As discussed earlier, it would be faster to use a dedicated, pre-built container image which includes the pre-created keytabs instead of issuing them on-the fly (keytab generation is slow + container creation is slow)
For each of the tagged images we can export to current keytabs to hadoop-ozone/dist/src/main/compose/ which can be mounted to compose clusters.
It makes the overall acceptance test faster (instead of creating keytab, which is quite slow, we can start the cluster immediately). And we don't need to depend on an external utility app.
Pre-created keytabs are also more similar to production environment...
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-5123
How was this patch tested?
CI is passed on my fork:
https://github.com/elek/ozone/actions/runs/763590947
The time between starting test.sh script and first robot test:
master: 3:30 (01:43:08 --01:46:38)
this patch: 2:10 (12:59:29 13:02:39)
(note: there are some variances between different builds, and in general the mentioned patch build was a slower one. It can be even faster).