hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick Hunt (JIRA)" <j...@apache.org>
Subject [jira] Created: (HBASE-2418) add support for ZooKeeper authentication
Date Wed, 07 Apr 2010 18:12:33 GMT
add support for ZooKeeper authentication
----------------------------------------

                 Key: HBASE-2418
                 URL: https://issues.apache.org/jira/browse/HBASE-2418
             Project: Hadoop HBase
          Issue Type: Improvement
          Components: master, regionserver
            Reporter: Patrick Hunt
            Priority: Critical


Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than one client
service would
like to share a single ZooKeeper service instance (cluster). In this case the client services
typically want to protect
their data (ZK znodes) from access by other services (tenants) on the cluster. Say you are
running HBase and Solr 
and Neo4j, or multiple HBase instances, etc... having authentication/authorization on the
znodes is important for both 
security and helping to ensure that services don't interact negatively (touch each other's
data).

Today HBase does not have support for authentication or authorization. This should be added
to the HBase clients
that are accessing the ZK cluster. In general it means calling addAuthInfo once after a session
is established:

http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String,
byte[])

with a user specific credential, often times this is a shared secret or certificate. You may
be able to statically configure this
in some cases (config string or file to read from), however in my case in particular you may
need to access it programmatically,
which adds complexity as the end user may need to load code into HBase for accessing the credential.

Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily):
http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html

Feel free to ping the ZooKeeper team if you have questions. It might also be good to discuss
with some 
potential end users - in particular regarding how the end user can specify the credential.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message