[
https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13152679#comment-13152679
]
jirapos...@reviews.apache.org commented on HBASE-2418:
------------------------------------------------------
bq. On 2011-11-18 04:14:48, Andrew Purtell wrote:
bq. > src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java,
line 338
bq. > <https://reviews.apache.org/r/2837/diff/3/?file=59201#file59201line338>
bq. >
bq. > I don't see how to work around this. The code has to be recompiled
against 3.3 or 3.4.
bq. >
bq. > Any ideas?
bq. >
bq. > I think we have to pull in 3.4 unconditionally.
bq.
bq. Lars Hofhansl wrote:
bq. Might be a good thing anyway. 3.4 is in RC right now, would probably
be GA by the time we GA 0.92. (we're meeting with Ted Dunning tomorrow -
unrelated - can ask him what he thinks about it).
bq.
bq. Andrew Purtell wrote:
bq. We can put in the other two patches and defer this one until 3.4 is
released. Consequence would be that 3025 can be subverted if one allows direct
client access to the ZK cluster.
+1 on fixing this patch so it just upgrades our zk to 3.4. I just tried hbase
w/ a 3.4 client and a 3.3.3. ensemble and it seems to work. I asked Mahadev to
be sure and he says "A 3.3.* client should be able to talk to 3.4.0 server and
vice versa." Its as yet unreleased but I'm pretty sure it'll be out before we
ship -- maybe even a 3.4.1 (smile).
- Michael
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2837/#review3344
-----------------------------------------------------------
On 2011-11-17 20:58:47, Andrew Purtell wrote:
bq.
bq. -----------------------------------------------------------
bq. This is an automatically generated e-mail. To reply, visit:
bq. https://reviews.apache.org/r/2837/
bq. -----------------------------------------------------------
bq.
bq. (Updated 2011-11-17 20:58:47)
bq.
bq.
bq. Review request for hbase, Gary Helmling and Eugene Koontz.
bq.
bq.
bq. Summary
bq. -------
bq.
bq. These changes add support for protecting the state of HBase znodes on a
multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0, currently at
RC2. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025
(Coprocessor based access control).
bq.
bq. SASL authentication of ZooKeeper clients with the quorum is handled in the
ZK client independently of HBase concerns. To enable strong ZK authentication,
one must create a suitable JaaS configuration, for example:
bq.
bq. Server {
bq. com.sun.security.auth.module.Krb5LoginModule required
bq. useKeyTab=true
bq. keyTab="/etc/hbase/conf/hbase.keytab"
bq. storeKey=true
bq. useTicketCache=false
bq. principal="zookeeper/$HOSTNAME";
bq. };
bq. Client {
bq. com.sun.security.auth.module.Krb5LoginModule required
bq. useKeyTab=true
bq. useTicketCache=false
bq. keyTab="/etc/hbase/conf/hbase.keytab"
bq. principal="hbase/$HOSTNAME";
bq. };
bq.
bq. and then configure both the client and server processes to use it, for
example in hbase-site.xml:
bq.
bq. HBASE_OPTS="${HBASE_OPTS}
-Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
bq. HBASE_OPTS="${HBASE_OPTS}
-Dzookeeper.kerberos.removeHostFromPrincipal=true"
bq. HBASE_OPTS="${HBASE_OPTS}
-Dzookeeper.kerberos.removeRealmFromPrincipal=true"
bq.
bq. HBase will then secure all znodes but for a few world-readable read-only
ones needed for clients to look up region locations. All internal cluster
operations will be protected from unauthenticated ZK clients, or clients not
authenticated to the HBase principal. Presumably the only ZK clients
authenticated to the HBase principal will be those embedded in the master and
regionservers.
bq.
bq. There is extraneous whitespace in code surrounding these changes.
bq.
bq.
bq. This addresses bug HBASE-2418.
bq. https://issues.apache.org/jira/browse/HBASE-2418
bq.
bq.
bq. Diffs
bq. -----
bq.
bq. pom.xml c74ce25
bq.
src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java
05abeb7
bq. src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java bb67e53
bq. src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
a75cf87
bq. src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java f613ba9
bq. src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
PRE-CREATION
bq.
bq. Diff: https://reviews.apache.org/r/2837/diff
bq.
bq.
bq. Testing
bq. -------
bq.
bq. These changes are running in production at Trend Micro, using a snapshot
build of ZooKeeper 3.4.0.
bq.
bq. New unit test TestZooKeeperACL passes 100 iterations. All test pass not
otherwise currently failing on trunk.
bq.
bq.
bq. Thanks,
bq.
bq. Andrew
bq.
bq.
> add support for ZooKeeper authentication
> ----------------------------------------
>
> Key: HBASE-2418
> URL: https://issues.apache.org/jira/browse/HBASE-2418
> Project: HBase
> Issue Type: Improvement
> Components: master, regionserver
> Reporter: Patrick Hunt
> Assignee: Eugene Koontz
> Priority: Critical
> Labels: security, zookeeper
> Fix For: 0.92.0
>
>
> Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that
> more than one client service would
> like to share a single ZooKeeper service instance (cluster). In this case the
> client services typically want to protect
> their data (ZK znodes) from access by other services (tenants) on the
> cluster. Say you are running HBase and Solr
> and Neo4j, or multiple HBase instances, etc... having
> authentication/authorization on the znodes is important for both
> security and helping to ensure that services don't interact negatively (touch
> each other's data).
> Today HBase does not have support for authentication or authorization. This
> should be added to the HBase clients
> that are accessing the ZK cluster. In general it means calling addAuthInfo
> once after a session is established:
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String,
> byte[])
> with a user specific credential, often times this is a shared secret or
> certificate. You may be able to statically configure this
> in some cases (config string or file to read from), however in my case in
> particular you may need to access it programmatically,
> which adds complexity as the end user may need to load code into HBase for
> accessing the credential.
> Secondly you need to specify a non "world" ACL when interacting with znodes
> (create primarily):
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html
> Feel free to ping the ZooKeeper team if you have questions. It might also be
> good to discuss with some
> potential end users - in particular regarding how the end user can specify
> the credential.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
