[
https://issues.apache.org/jira/browse/HADOOP-8215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated HADOOP-8215:
--------------------------------
Attachment: hadoop-8215.txt
Attached patch implements the above. Here's a summary of changes:
- The ZKFC provides a new hook {{loginAsFCUser}} which implementations should
implement for keytab login. The DFS implementation implements this by logging
in using the NameNode keytab and credentials.
- Refactored some of the code in DFSHAAdmin into a static method to set up the
protocol principal information. This code is now called by
DFSZKFailoverController.setConf as well.
- Adds {{ha.zookeeper.acl}} and {{ha.zookeeper.auth}} configurations. These
configs specify the ACL used for the znodes, and the authentications added when
connecting to ZooKeeper. The format is the same as is used in the ZK shell.
Additionally, the config values may be specified as "@/path/to/file" which
allows an indirection. This is important when using digest-based authentication
so as to avoid leaking the secret password via the /conf servlet, etc.
- The ZK auth and acl parsing is in a new file called HAZKUtil. If we start
using ZK for other purposes in Hadoop, we could rename it to HadoopZKUtil or
something -- nothing HA-specific in here.
Note that a few of the RPC-related changes here are duplicate with HADOOP-8243.
I'll resolve that during the merge when necessary.
I also ran through some manual tests with a secure HDFS cluster and the ZKFC
and it seemed to work. That was on an earlier version of the patch. I'll
re-test with the latest patch before committing.
> Security support for ZK Failover controller
> -------------------------------------------
>
> Key: HADOOP-8215
> URL: https://issues.apache.org/jira/browse/HADOOP-8215
> Project: Hadoop Common
> Issue Type: Improvement
> Components: auto-failover, ha
> Affects Versions: 0.23.3, 0.24.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Critical
> Attachments: hadoop-8215.txt
>
>
> To keep the initial patches manageable, kerberos security is not currently
> supported in the ZKFC implementation. This JIRA is to support the following
> important pieces for security:
> - integrate with ZK authentication (kerberos or password-based)
> - allow the user to configure ACLs for the relevant znodes
> - add keytab configuration and login to the ZKFC daemons
> - ensure that the RPCs made by the health monitor and failover controller
> properly authenticate to the target daemons
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
