hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-8215) Security support for ZK Failover controller
Date Tue, 03 Apr 2012 00:15:24 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-8215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Todd Lipcon updated HADOOP-8215:

    Attachment: hadoop-8215.txt

Attached patch implements the above. Here's a summary of changes:
- The ZKFC provides a new hook {{loginAsFCUser}} which implementations should implement for
keytab login. The DFS implementation implements this by logging in using the NameNode keytab
and credentials.
- Refactored some of the code in DFSHAAdmin into a static method to set up the protocol principal
information. This code is now called by DFSZKFailoverController.setConf as well.
- Adds {{ha.zookeeper.acl}} and {{ha.zookeeper.auth}} configurations. These configs specify
the ACL used for the znodes, and the authentications added when connecting to ZooKeeper. The
format is the same as is used in the ZK shell. Additionally, the config values may be specified
as "@/path/to/file" which allows an indirection. This is important when using digest-based
authentication so as to avoid leaking the secret password via the /conf servlet, etc.
- The ZK auth and acl parsing is in a new file called HAZKUtil. If we start using ZK for other
purposes in Hadoop, we could rename it to HadoopZKUtil or something -- nothing HA-specific
in here.

Note that a few of the RPC-related changes here are duplicate with HADOOP-8243. I'll resolve
that during the merge when necessary.

I also ran through some manual tests with a secure HDFS cluster and the ZKFC and it seemed
to work. That was on an earlier version of the patch. I'll re-test with the latest patch before
> Security support for ZK Failover controller
> -------------------------------------------
>                 Key: HADOOP-8215
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8215
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: auto-failover, ha
>    Affects Versions: 0.23.3, 0.24.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Critical
>         Attachments: hadoop-8215.txt
> To keep the initial patches manageable, kerberos security is not currently supported
in the ZKFC implementation. This JIRA is to support the following important pieces for security:
> - integrate with ZK authentication (kerberos or password-based)
> - allow the user to configure ACLs for the relevant znodes
> - add keytab configuration and login to the ZKFC daemons
> - ensure that the RPCs made by the health monitor and failover controller properly authenticate
to the target daemons

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message