[
https://issues.apache.org/jira/browse/HADOOP-8215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13244875#comment-13244875
]
Todd Lipcon commented on HADOOP-8215:
-------------------------------------
Because coverage of security is hard to automate, I performed the following
manual test steps to verify this patch on a secure cluster:
- Set up two NNs with kerberos security enabled
- Use ZK command line to generate digest credentials:
{code}
todd@todd-w510:~/releases/zookeeper-3.4.1-cdh4b1$ java -cp
lib/*:zookeeper-3.4.1-cdh4b1.jar
org.apache.zookeeper.server.auth.DigestAuthenticationProvider foo:testing
foo:testing->foo:vlUvLnd8MlacsE80rDuu6ONESbM=
{code}
Add these two the HDFS configuration:
{code}
<property>
<name>ha.zookeeper.acl</name>
<value>digest:foo:vlUvLnd8MlacsE80rDuu6ONESbM=:rwcda</value>
</property>
<property>
<name>ha.zookeeper.auth</name>
<value>digest:foo:testing</value>
</property>
{code}
- Run bin/hdfs zkfc -formatZK
- Run bin/hdfs zkfc for each NN
- Run bin/hdfs namenode for each NN
- Verify that one of the NNs becomes active. Kill that NN. Verify that the
other NN becomes active within a few seconds.
- Verify authentication results in the NN logs:
{code}
12/04/02 17:25:22 INFO authorize.ServiceAuthorizationManager: Authorization
successfull for hdfs-todd/todd-w...@hadoop.com (auth:KERBEROS) for
protocol=interface org.apache.hadoop.ha.HAServiceProtocol
{code}
- Use ZK CLI to verify the acls:
{code}
[zk: localhost:2181(CONNECTED) 1] addauth digest foo:testing
[zk: localhost:2181(CONNECTED) 2] ls /hadoop-ha
[ActiveBreadCrumb, ActiveStandbyElectorLock]
[zk: localhost:2181(CONNECTED) 3] getAcl /hadoop-ha
'digest,'foo:vlUvLnd8MlacsE80rDuu6ONESbM=
: cdrwa
[zk: localhost:2181(CONNECTED) 4] getAcl /hadoop-ha/ActiveBreadCrumb
'digest,'foo:vlUvLnd8MlacsE80rDuu6ONESbM=
: cdrwa
{code}
- Shut down nodes, replace configuration with indirect version:
{code}
<property>
<name>ha.zookeeper.acl</name>
<value>@/home/todd/confs/devconf.ha.common/zk-acl.txt</value>
</property>
<property>
<name>ha.zookeeper.auth</name>
<value>@/home/todd/confs/devconf.ha.common/zk-auth.txt</value>
</property>
{code}
and move the actual values to the files as specified above
- Restart ZKFCs, verify that the ACLs are still being correctly used
- chmod 000 the ACL data so it's no longer readable, try to restart one of the
ZKFCs, verify error:
{code}
Exception in thread "main" java.io.FileNotFoundException:
/home/todd/confs/devconf.ha.common/zk-acl.txt (Permission denied)
{code}
> Security support for ZK Failover controller
> -------------------------------------------
>
> Key: HADOOP-8215
> URL: https://issues.apache.org/jira/browse/HADOOP-8215
> Project: Hadoop Common
> Issue Type: Improvement
> Components: auto-failover, ha
> Affects Versions: 0.23.3, 0.24.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Critical
> Attachments: hadoop-8215.txt
>
>
> To keep the initial patches manageable, kerberos security is not currently
> supported in the ZKFC implementation. This JIRA is to support the following
> important pieces for security:
> - integrate with ZK authentication (kerberos or password-based)
> - allow the user to configure ACLs for the relevant znodes
> - add keytab configuration and login to the ZKFC daemons
> - ensure that the RPCs made by the health monitor and failover controller
> properly authenticate to the target daemons
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
