Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot write system information on Graceful Shutdown #22589

Closed
florianMalbranque opened this issue Jul 5, 2024 · 3 comments
Closed

Cannot write system information on Graceful Shutdown #22589

florianMalbranque opened this issue Jul 5, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@florianMalbranque
Copy link
Member

I am running:

  • Trino 450
  • config: management.user=admin-management
  • access-control:
      {
        "impersonation": [
            {
                "original_user": ".*",
                "new_user": ".*"
            }
        ],
        "catalogs": [
              {
                "group": ".*",
                "allow": "all"
              }
            ],
        "procedures": [
          {
            "group": ".*",
            "catalog": ".*",
            "procedure": ".*",
            "privileges": [
            "EXECUTE"
            ]
          }
        ],
        "system_information": [
          {
            "user": ".*",
            "allow": ["read","write"]
          }
        ]
      }

When trying to run shutdown command within the worker pod:

$ curl -v -X PUT -d '"SHUTTING_DOWN"' -H "Content-type: application/json" \
    --insecure \
    https://localhost:8080/v1/info/state 
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> PUT /v1/info/state HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.76.1
> Accept: */*
> Content-type: application/json
> Content-Length: 15
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Fri, 05 Jul 2024 08:53:28 GMT
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

Logs Coordinator:

2024-07-05T08:59:19.246Z    DEBUG    http-worker-124    io.trino.security.AccessControl    Invocation of checkCanSetUser(principal=Optional[admin-management], userName='admin-management') succeeded in 680.86us
2024-07-05T08:59:19.246Z    DEBUG    http-worker-124    io.trino.security.AccessControl    Invocation of checkCanReadSystemInformation(identity=Identity{user='admin-management', groups=[admin], principal=admin-management}) succeeded in 30.41us

Logs Worker:

2024-07-05T08:53:28.164Z    DEBUG    http-worker-104    io.trino.security.AccessControl    Invocation of checkCanSetUser(principal=Optional[admin-management], userName='admin-management') succeeded in 553.10us
2024-07-05T08:53:28.165Z    DEBUG    http-worker-104    io.trino.security.AccessControl    Invocation of checkCanWriteSystemInformation(identity=Identity{user='admin-management', principal=admin-management}) took 452.98us and failed with io.trino.spi.security.AccessDeniedException: Access Denied: Cannot write system information

I suspect a bug in system information permission handling

@florianMalbranque florianMalbranque added the bug Something isn't working label Jul 5, 2024
@florianMalbranque florianMalbranque changed the title Cannot write system information Graceful Shutdown Cannot write system information on Graceful Shutdown Jul 5, 2024
@hashhar
Copy link
Member

hashhar commented Jul 8, 2024

Do you have the access control configs on the worker too?

@florianMalbranque
Copy link
Member Author

@hashhar Yes

@florianMalbranque
Copy link
Member Author

@hashhar, After double checking, helm trino chart was not deploying AC config to Workers,
the above PR aims to fix it, I'll close this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Development

Successfully merging a pull request may close this issue.

2 participants