We've been mumbling about making the authentication system more pluggable. Right now one of the standing issues is that we have the credentials need to perform actions a bit tightly woven with the ZKAuthenticator. These need to be segregated better before more progress can be made allow more authenticators.
John ----- Original Message ----- | From: "Eric Newton" <[email protected]> | To: [email protected] | Sent: Thursday, January 5, 2012 9:27:18 AM | Subject: Re: zookeeper ACL issues | The contents of the user node is the 8-byte salt and salted SHA-256 of | the | user's password. I don't believe there's any encoding: it's just raw | bytes. | | We have not done anything to extend the authentication system, yet. | Hopefully we'll be able to leverage the tools now being released for | the | rest of the Hadoop infrastructure. | | -Eric | | | On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[email protected]> wrote: | | > That worked for the CLI. What is the data in there? base64 encoding | > of the | > password? | > | > Have you heard of anyone trying to implement an OAuth style | > authentication | > for the Authenticator? I was thinking I would have to put in a whole | > layer | > that talked to ZK directly for authentication, but perhaps not. | > | > thanks for help. | > | > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[email protected]> | > wrote: | > | > > In fact, that's why there is an abstraction for the Authenticator, | > > hopefully you can replace it with one of your own. | > > | > > However, here's the trick for reading the data | > > | > > zkCli > addauth digest accumulo:DEFAULT | > > | > > If you have changed the value of "instance.secret" in | > > accumulo-site.xml, | > > you need to use that value in order to read what is in the node. | > > | > > The data there is binary, so you'll need to write some java code | > > to | > decode | > > it... if your process can read accumulo-site.xml, you can use | > > ZooReaderWriter to pull the data out: it will always set the | > > additional | > > auth flags to be able to read those nodes. | > > | > > Let me know if this doesn't make sense, and I can provide more | > > details. | > > | > > -Eric | > > | > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[email protected]> | > > wrote: | > > | > > > Hey, | > > > | > > > I've been poking at security features of Accumulo, specifically | > > > the | > > > user/password stuff in Zookeeper. I was wondering if it would be | > possible | > > > to abstract away the zookeeper ACL authentication, so we could | > > > deploy | > > with | > > > our own instead of using the "digest" ACL stuff in zookeeper. I | > > > looked | > at | > > > doing this but got lost a bit in the innards of how Accumulo | > > authenticates | > > > the znodes. Can anyone provide me some guidance? Specifically, | > > > it | > would | > > be | > > > useful to know what to do to be able to do an ls of the | > > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh | > > > | > > > Thanks, | > > > Jim | > > > | > > | >
