hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8215) Security support for ZK Failover controller
Date Tue, 03 Apr 2012 00:31:23 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13244875#comment-13244875
] 

Todd Lipcon commented on HADOOP-8215:
-------------------------------------

Because coverage of security is hard to automate, I performed the following manual test steps
to verify this patch on a secure cluster:

- Set up two NNs with kerberos security enabled
- Use ZK command line to generate digest credentials:
{code}
todd@todd-w510:~/releases/zookeeper-3.4.1-cdh4b1$ java -cp lib/*:zookeeper-3.4.1-cdh4b1.jar
org.apache.zookeeper.server.auth.DigestAuthenticationProvider foo:testing
foo:testing->foo:vlUvLnd8MlacsE80rDuu6ONESbM=
{code}

Add these two the HDFS configuration:
{code}
 <property>
   <name>ha.zookeeper.acl</name>
   <value>digest:foo:vlUvLnd8MlacsE80rDuu6ONESbM=:rwcda</value>
 </property>
 <property>
   <name>ha.zookeeper.auth</name>
   <value>digest:foo:testing</value>
 </property>
{code}

- Run bin/hdfs zkfc -formatZK
- Run bin/hdfs zkfc for each NN
- Run bin/hdfs namenode for each NN
- Verify that one of the NNs becomes active. Kill that NN. Verify that the other NN becomes
active within a few seconds.
- Verify authentication results in the NN logs:
{code}
12/04/02 17:25:22 INFO authorize.ServiceAuthorizationManager: Authorization successfull for
hdfs-todd/todd-w510@HADOOP.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.ha.HAServiceProtocol
{code}

- Use ZK CLI to verify the acls:
{code}
[zk: localhost:2181(CONNECTED) 1] addauth digest foo:testing
[zk: localhost:2181(CONNECTED) 2] ls /hadoop-ha
[ActiveBreadCrumb, ActiveStandbyElectorLock]
[zk: localhost:2181(CONNECTED) 3] getAcl /hadoop-ha
'digest,'foo:vlUvLnd8MlacsE80rDuu6ONESbM=
: cdrwa
[zk: localhost:2181(CONNECTED) 4] getAcl /hadoop-ha/ActiveBreadCrumb
'digest,'foo:vlUvLnd8MlacsE80rDuu6ONESbM=
: cdrwa
{code}

- Shut down nodes, replace configuration with indirect version:
{code}
 <property>
   <name>ha.zookeeper.acl</name>
   <value>@/home/todd/confs/devconf.ha.common/zk-acl.txt</value>
 </property>
 <property>
   <name>ha.zookeeper.auth</name>
   <value>@/home/todd/confs/devconf.ha.common/zk-auth.txt</value>
 </property>
{code}
and move the actual values to the files as specified above

- Restart ZKFCs, verify that the ACLs are still being correctly used
- chmod 000 the ACL data so it's no longer readable, try to restart one of the ZKFCs, verify
error:
{code}
Exception in thread "main" java.io.FileNotFoundException: /home/todd/confs/devconf.ha.common/zk-acl.txt
(Permission denied)
{code}
                
> Security support for ZK Failover controller
> -------------------------------------------
>
>                 Key: HADOOP-8215
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8215
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: auto-failover, ha
>    Affects Versions: 0.23.3, 0.24.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Critical
>         Attachments: hadoop-8215.txt
>
>
> To keep the initial patches manageable, kerberos security is not currently supported
in the ZKFC implementation. This JIRA is to support the following important pieces for security:
> - integrate with ZK authentication (kerberos or password-based)
> - allow the user to configure ACLs for the relevant znodes
> - add keytab configuration and login to the ZKFC daemons
> - ensure that the RPCs made by the health monitor and failover controller properly authenticate
to the target daemons

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message