[ https://issues.apache.org/jira/browse/HADOOP-8215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13244875#comment-13244875 ]
Todd Lipcon commented on HADOOP-8215: ------------------------------------- Because coverage of security is hard to automate, I performed the following manual test steps to verify this patch on a secure cluster: - Set up two NNs with kerberos security enabled - Use ZK command line to generate digest credentials: {code} todd@todd-w510:~/releases/zookeeper-3.4.1-cdh4b1$ java -cp lib/*:zookeeper-3.4.1-cdh4b1.jar org.apache.zookeeper.server.auth.DigestAuthenticationProvider foo:testing foo:testing->foo:vlUvLnd8MlacsE80rDuu6ONESbM= {code} Add these two the HDFS configuration: {code} <property> <name>ha.zookeeper.acl</name> <value>digest:foo:vlUvLnd8MlacsE80rDuu6ONESbM=:rwcda</value> </property> <property> <name>ha.zookeeper.auth</name> <value>digest:foo:testing</value> </property> {code} - Run bin/hdfs zkfc -formatZK - Run bin/hdfs zkfc for each NN - Run bin/hdfs namenode for each NN - Verify that one of the NNs becomes active. Kill that NN. Verify that the other NN becomes active within a few seconds. - Verify authentication results in the NN logs: {code} 12/04/02 17:25:22 INFO authorize.ServiceAuthorizationManager: Authorization successfull for hdfs-todd/todd-w...@hadoop.com (auth:KERBEROS) for protocol=interface org.apache.hadoop.ha.HAServiceProtocol {code} - Use ZK CLI to verify the acls: {code} [zk: localhost:2181(CONNECTED) 1] addauth digest foo:testing [zk: localhost:2181(CONNECTED) 2] ls /hadoop-ha [ActiveBreadCrumb, ActiveStandbyElectorLock] [zk: localhost:2181(CONNECTED) 3] getAcl /hadoop-ha 'digest,'foo:vlUvLnd8MlacsE80rDuu6ONESbM= : cdrwa [zk: localhost:2181(CONNECTED) 4] getAcl /hadoop-ha/ActiveBreadCrumb 'digest,'foo:vlUvLnd8MlacsE80rDuu6ONESbM= : cdrwa {code} - Shut down nodes, replace configuration with indirect version: {code} <property> <name>ha.zookeeper.acl</name> <value>@/home/todd/confs/devconf.ha.common/zk-acl.txt</value> </property> <property> <name>ha.zookeeper.auth</name> <value>@/home/todd/confs/devconf.ha.common/zk-auth.txt</value> </property> {code} and move the actual values to the files as specified above - Restart ZKFCs, verify that the ACLs are still being correctly used - chmod 000 the ACL data so it's no longer readable, try to restart one of the ZKFCs, verify error: {code} Exception in thread "main" java.io.FileNotFoundException: /home/todd/confs/devconf.ha.common/zk-acl.txt (Permission denied) {code} > Security support for ZK Failover controller > ------------------------------------------- > > Key: HADOOP-8215 > URL: https://issues.apache.org/jira/browse/HADOOP-8215 > Project: Hadoop Common > Issue Type: Improvement > Components: auto-failover, ha > Affects Versions: 0.23.3, 0.24.0 > Reporter: Todd Lipcon > Assignee: Todd Lipcon > Priority: Critical > Attachments: hadoop-8215.txt > > > To keep the initial patches manageable, kerberos security is not currently > supported in the ZKFC implementation. This JIRA is to support the following > important pieces for security: > - integrate with ZK authentication (kerberos or password-based) > - allow the user to configure ACLs for the relevant znodes > - add keytab configuration and login to the ZKFC daemons > - ensure that the RPCs made by the health monitor and failover controller > properly authenticate to the target daemons -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira