[jira] [Commented] (HBASE-2418) add support for ZooKeeper authentication

Mikhail Bautin (Commented) (JIRA) Mon, 21 Nov 2011 01:45:19 -0800

    [ 
https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13154088#comment-13154088
 ]


Mikhail Bautin commented on HBASE-2418:
---------------------------------------

I just saw this regionserver crash in my five-node, three-RS cluster test. 
Since this is a ZK-related patch that went in recently, I am attaching the 
stack trace here just in case.

2011-11-21 01:30:15,188 FATAL 
org.apache.hadoop.hbase.regionserver.HRegionServer: ABORTING region server 
<machine_name>,60020,1321867814890: Initialization of RS failed.  Hence 
aborting RS.
java.util.ConcurrentModificationException
        at java.util.Hashtable$Enumerator.next(Hashtable.java:1031)
        at 
org.apache.hadoop.conf.Configuration.iterator(Configuration.java:1042)
        at 
org.apache.hadoop.hbase.zookeeper.ZKConfig.makeZKProps(ZKConfig.java:75)
        at 
org.apache.hadoop.hbase.zookeeper.ZKConfig.getZKQuorumServersString(ZKConfig.java:245)
        at 
org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher.<init>(ZooKeeperWatcher.java:144)
        at 
org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher.<init>(ZooKeeperWatcher.java:124)
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getZooKeeperWatcher(HConnectionManager.java:1262)
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.setupZookeeperTrackers(HConnectionManager.java:568)
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.<init>(HConnectionManager.java:559)
        at 
org.apache.hadoop.hbase.client.HConnectionManager.getConnection(HConnectionManager.java:183)
        at 
org.apache.hadoop.hbase.catalog.CatalogTracker.<init>(CatalogTracker.java:177)
        at 
org.apache.hadoop.hbase.regionserver.HRegionServer.initializeZooKeeper(HRegionServer.java:575)
        at 
org.apache.hadoop.hbase.regionserver.HRegionServer.preRegistrationInitialization(HRegionServer.java:534)
        at 
org.apache.hadoop.hbase.regionserver.HRegionServer.run(HRegionServer.java:642)
        at java.lang.Thread.run(Thread.java:619)

                
> add support for ZooKeeper authentication
> ----------------------------------------
>
>                 Key: HBASE-2418
>                 URL: https://issues.apache.org/jira/browse/HBASE-2418
>             Project: HBase
>          Issue Type: Improvement
>          Components: master, regionserver
>            Reporter: Patrick Hunt
>            Assignee: Eugene Koontz
>            Priority: Critical
>              Labels: security, zookeeper
>             Fix For: 0.92.0, 0.94.0
>
>         Attachments: 2418.addendum, HBASE-2418-6.patch, HBASE-2418-6.patch
>
>
> Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that 
> more than one client service would
> like to share a single ZooKeeper service instance (cluster). In this case the 
> client services typically want to protect
> their data (ZK znodes) from access by other services (tenants) on the 
> cluster. Say you are running HBase and Solr 
> and Neo4j, or multiple HBase instances, etc... having 
> authentication/authorization on the znodes is important for both 
> security and helping to ensure that services don't interact negatively (touch 
> each other's data).
> Today HBase does not have support for authentication or authorization. This 
> should be added to the HBase clients
> that are accessing the ZK cluster. In general it means calling addAuthInfo 
> once after a session is established:
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String,
>  byte[])
> with a user specific credential, often times this is a shared secret or 
> certificate. You may be able to statically configure this
> in some cases (config string or file to read from), however in my case in 
> particular you may need to access it programmatically,
> which adds complexity as the end user may need to load code into HBase for 
> accessing the credential.
> Secondly you need to specify a non "world" ACL when interacting with znodes 
> (create primarily):
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html
> Feel free to ping the ZooKeeper team if you have questions. It might also be 
> good to discuss with some 
> potential end users - in particular regarding how the end user can specify 
> the credential.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HBASE-2418) add support for ZooKeeper authentication

Reply via email to