Return-Path: Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: (qmail 20504 invoked from network); 25 Mar 2011 17:41:46 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 25 Mar 2011 17:41:46 -0000 Received: (qmail 38096 invoked by uid 500); 25 Mar 2011 17:41:46 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 38075 invoked by uid 500); 25 Mar 2011 17:41:45 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 38067 invoked by uid 99); 25 Mar 2011 17:41:45 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Mar 2011 17:41:45 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Mar 2011 17:41:43 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 0EC464D98A for ; Fri, 25 Mar 2011 17:41:06 +0000 (UTC) Date: Fri, 25 Mar 2011 17:41:06 +0000 (UTC) From: "Alex Newman (JIRA)" To: issues@hbase.apache.org Message-ID: <1769065165.11703.1301074866057.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Assigned] (HBASE-2418) add support for ZooKeeper authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Newman reassigned HBASE-2418: ---------------------------------- Assignee: Alex Newman > add support for ZooKeeper authentication > ---------------------------------------- > > Key: HBASE-2418 > URL: https://issues.apache.org/jira/browse/HBASE-2418 > Project: HBase > Issue Type: Improvement > Components: master, regionserver > Reporter: Patrick Hunt > Assignee: Alex Newman > Priority: Critical > > Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than one client service would > like to share a single ZooKeeper service instance (cluster). In this case the client services typically want to protect > their data (ZK znodes) from access by other services (tenants) on the cluster. Say you are running HBase and Solr > and Neo4j, or multiple HBase instances, etc... having authentication/authorization on the znodes is important for both > security and helping to ensure that services don't interact negatively (touch each other's data). > Today HBase does not have support for authentication or authorization. This should be added to the HBase clients > that are accessing the ZK cluster. In general it means calling addAuthInfo once after a session is established: > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String, byte[]) > with a user specific credential, often times this is a shared secret or certificate. You may be able to statically configure this > in some cases (config string or file to read from), however in my case in particular you may need to access it programmatically, > which adds complexity as the end user may need to load code into HBase for accessing the credential. > Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily): > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html > Feel free to ping the ZooKeeper team if you have questions. It might also be good to discuss with some > potential end users - in particular regarding how the end user can specify the credential. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira