[GitHub] [incubator-kyuubi] wForget opened a new issue #1204: [FEATURE] Enhance zookeeper authentication and acls of Kyuubi HA module

Sat, 09 Oct 2021 03:24:00 -0700 


wForget opened a new issue #1204:
URL: https://github.com/apache/incubator-kyuubi/issues/1204


   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   
   
   ### Search before asking
   
   - [X] I have searched in the 
[issues](https://github.com/apache/incubator-kyuubi/issues?q=is%3Aissue) and 
found no similar issues.
   
   
   ### Describe the feature
   
   Support zookeeper sasl kerberos authentication of engine and more zookeeper 
ACL Schemes.
   
   ### Motivation
   
   _No response_
   
   ### Describe the solution
   
   Zookeeper 支持多种类型的 ACL Schemes,下面列出两种典型进行说明 
   
   1. 支持 SASL Kerberos 类型的 ACL
   
       节点 ACLs 示例:
   
       ```
       'world,'anyone
       : r
       'sasl,'test
       : cdrwa
       ```
   
       配置规划:
   
       ```
       kyuubi.ha.zookeeper.acl.enabled=true
       kyuubi.ha.zookeeper.auth.sasl.kerberos=true   # 使用 sasl kerberos 类型认证
       
       # 还需要 kerberos 相关配置
       ```
   
       其它修改:
       + Yarn Cluster 模式运行 Engine 时,通过 --file 上传 keytab 文件,并指定相对路径访问 keytab 文件
   
   2. 支持 Digest 类型的 ACL
   
       节点 ACLs 示例:
   
       ```
       'world,'anyone
       : r
       'digest,'test:V28q/NynI4JI3Rk54h0r8O5kMug=
       : cdrwa
       ```
   
       配置规划:
   
       ```
       kyuubi.ha.zookeeper.acl.enabled=true
       kyuubi.ha.zookeeper.auth=digest:test:test   # 使用 auth string 
进行认证,格式:scheme:expression:perms
       ```
   
       其它修改:
       + 将 kyuubi.ha.zookeeper.auth 配置解析为 AuthInfo 对象,通过 
CuratorFrameworkFactory.Builder#authorization 方法添加认证
   
   参考:
   + [ZooKeeper access control using 
ACLs](http://zookeeper.apache.org/doc/r3.7.0/zookeeperProgrammers.html#sc_ZooKeeperAccessControl)
   + [ZooKeeper and 
SASL](https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL)
   + 
[zookeeper(client-server身份认证-SASL配置)](https://www.liangzl.com/get-article-detail-167111.html)
   
   
   ### Additional context
   
   I don’t have a deep understanding of the Zookeeper authentication mechanism. 
If you have any questions, please point them out. 
   
   ### Are you willing to submit PR?
   
   - [X] Yes I am willing to submit a PR!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to