[jira] [Commented] (BOOKKEEPER-390) Provide support for ZooKeeper authentication

Wed, 28 Sep 2016 03:06:43 -0700 

    [ 
https://issues.apache.org/jira/browse/BOOKKEEPER-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529156#comment-15529156
 ] 

Enrico Olivelli commented on BOOKKEEPER-390:
--------------------------------------------

I'm using SASL-Kerberos auth on ZooKeeper

My primary issue to to change every  ZooDefs.Ids.OPEN_ACL_UNSAFE ACL with 
ZooDefs.Ids.CREATOR_ALL_ACL, both in client side code and in Bookie code

Using that simple ACL in conjunction with this almost "standard" configuration 
of ZooKeeper
{code}
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
{code}

gives the ability to use the same "user" on each machine and create a network 
of authenticated services (Bookies + Clients) which can work on BookKeeper

What do you think ?

> Provide support for ZooKeeper authentication
> --------------------------------------------
>
>                 Key: BOOKKEEPER-390
>                 URL: https://issues.apache.org/jira/browse/BOOKKEEPER-390
>             Project: Bookkeeper
>          Issue Type: New Feature
>          Components: bookkeeper-client, bookkeeper-server
>    Affects Versions: 4.0.0
>            Reporter: Rakesh R
>            Assignee: Rakesh R
>         Attachments: BOOKKEEPER-390-Acl-draftversion.patch, 
> BOOKKEEPER-390-Authentication-interfaces-draftversion.patch
>
>
> This JIRA adds support for protecting the state of Bookkeeper znodes on a 
> multi-tenant ZooKeeper cluster.
> Use case: When user tries to run a ZK cluster in multitenant mode,  where 
> more than one client service would like to share a single ZK service instance 
> (cluster). In this case the client services typically want to protect their 
> data (ZK znodes) from access by other services (tenants) on the cluster. Say 
> you are running BK, HBase or ZKFC instances, etc... having 
> authentication/authorization on the znodes is important for both security and 
> helping to ensure that services don't interact negatively (touch each other's 
> data).
> Presently Bookkeeper does not have support for authentication or 
> authorization while accessing to ZK. This should be added to the BK 
> clients/server that are accessing the ZK cluster. In general it means calling 
> addAuthInfo once after a session is established



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to