Cannot write system information on Graceful Shutdown

florianMalbranque commented 3 months ago

I am running:

Trino 450
config: management.user=admin-management

access-control:

  {
    "impersonation": [
        {
            "original_user": ".*",
            "new_user": ".*"
        }
    ],
    "catalogs": [
          {
            "group": ".*",
            "allow": "all"
          }
        ],
    "procedures": [
      {
        "group": ".*",
        "catalog": ".*",
        "procedure": ".*",
        "privileges": [
        "EXECUTE"
        ]
      }
    ],
    "system_information": [
      {
        "user": ".*",
        "allow": ["read","write"]
      }
    ]
  }

When trying to run shutdown command within the worker pod:

$ curl -v -X PUT -d '"SHUTTING_DOWN"' -H "Content-type: application/json" \
    --insecure \
    http://localhost:8080/v1/info/state 
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> PUT /v1/info/state HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.76.1
> Accept: */*
> Content-type: application/json
> Content-Length: 15
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Fri, 05 Jul 2024 08:53:28 GMT
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

Logs Coordinator:

2024-07-05T08:59:19.246Z    DEBUG    http-worker-124    io.trino.security.AccessControl    Invocation of checkCanSetUser(principal=Optional[admin-management], userName='admin-management') succeeded in 680.86us
2024-07-05T08:59:19.246Z    DEBUG    http-worker-124    io.trino.security.AccessControl    Invocation of checkCanReadSystemInformation(identity=Identity{user='admin-management', groups=[admin], principal=admin-management}) succeeded in 30.41us

Logs Worker:

2024-07-05T08:53:28.164Z    DEBUG    http-worker-104    io.trino.security.AccessControl    Invocation of checkCanSetUser(principal=Optional[admin-management], userName='admin-management') succeeded in 553.10us
2024-07-05T08:53:28.165Z    DEBUG    http-worker-104    io.trino.security.AccessControl    Invocation of checkCanWriteSystemInformation(identity=Identity{user='admin-management', principal=admin-management}) took 452.98us and failed with io.trino.spi.security.AccessDeniedException: Access Denied: Cannot write system information

I suspect a bug in system information permission handling

hashhar commented 3 months ago

Do you have the access control configs on the worker too?

florianMalbranque commented 2 months ago

@hashhar Yes

florianMalbranque commented 1 month ago

@hashhar, After double checking, helm trino chart was not deploying AC config to Workers, the above PR aims to fix it, I'll close this issue

trinodb / trino

Cannot write system information on Graceful Shutdown #22589