hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10868) Create a ZooKeeper-backed secret provider
Date Thu, 21 Aug 2014 18:15:12 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Kanter updated HADOOP-10868:
-----------------------------------

    Attachment: HADOOP-10868.patch
                HADOOP-10868_branch-2.patch

The patch adds the ZKSignerSecretProvider and also updates a bunch of documentation/javadoc.
 It uses Curator to talk to ZooKeeper (this handles a lot of connection issues, etc for us).
 The security-related code for using Kerberos and Kerberos-backed ACLs with ZooKeeper is largely
copied from Oozie.  

Here’s an overview of how ZKSignerSecretProvider works:
- The previous, current, and next secrets, plus the next rollover date get stored in a znode
- On startup, it will try to read from this znode to use these secrets and synchronize it’s
rollover
- The next secret get decided right after the secret gets rolled over so that rolling to it
can be immediate without a network call to ZooKeeper
- The next secret gets decided like this:
-# All servers generate a new next secret
-# They then all try to write to the znode at roughly the same time
-# The znode has a version number, and only one of the servers will succeed (doesn’t matter
which)
-# The servers then load the next secret from the znode so they all have the same one
- I did the coordination this way so that we wouldn’t need to do any leader elections and
don’t need any sort of locking 
- There’s a bunch of configuration properties (mostly for Kerberos stuff)
-- A subclass of AuthenticationFilter can also provide ZKSignerSecretProvider with it’s
own Curator client, preconfigured however they want.  For example, I’m planning on doing
this with Oozie so (a) we can reuse the same Curator client that Oozie already manages and
(b) the ZK kerberos configs don’t need to be set by the user twice.  

> Create a ZooKeeper-backed secret provider
> -----------------------------------------
>
>                 Key: HADOOP-10868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10868
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: HADOOP-10868.patch, HADOOP-10868_branch-2.patch
>
>
> Create a secret provider (see HADOOP-10791) that is backed by ZooKeeper and can synchronize
amongst different servers.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message