hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jiraposter@reviews.apache.org (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-2418) add support for ZooKeeper authentication
Date Thu, 17 Nov 2011 20:59:51 GMT

    [ https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13152318#comment-13152318
] 

jiraposter@reviews.apache.org commented on HBASE-2418:
------------------------------------------------------


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2837/
-----------------------------------------------------------

(Updated 2011-11-17 20:58:47.295983)


Review request for hbase, Gary Helmling and Eugene Koontz.


Changes
-------

Updated POM to pull in Hadoop 0.20.205.1-7070-SNAPSHOT if building under the security profile
(-P security). 0.20.205 does not yet include HADOOP-7070. Without it, the JAAS configuration
required for secure operation of the ZooKeeper client will be ignored. This is not an issue
with this patch per se. Hadoop without 7070 overrides any JAAS configuration. ZooKeeper integrated
security in such a way as to require one. HBase is stuck in the middle here.

We will file another JIRA for simplifying the configuration of a secure HBase cluster. The
user should need only to update one or two configuration properties in hbase-site.xml with
the remainder handled behind the scenes. Within the context of that JIRA we can look at having
HBase build the ZooKeeper JAAS configuration programatically, like Hadoop does. We may be
able to simply update the LoginContext that Hadoop provides. 


Summary
-------

These changes add support for protecting the state of HBase znodes on a multi-tenant ZooKeeper
cluster. This support requires ZK 3.4.0, currently at RC2. It is a companion patch to HBASE-2742
(secure RPC), and HBASE-3025 (Coprocessor based access control).

SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently
of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration,
for example:

  Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/hbase/conf/hbase.keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/$HOSTNAME";
  };
  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="/etc/hbase/conf/hbase.keytab"
    principal="hbase/$HOSTNAME";
  };

and then configure both the client and server processes to use it, for example in hbase-site.xml:

  HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"

HBase will then secure all znodes but for a few world-readable read-only ones needed for clients
to look up region locations. All internal cluster operations will be protected from unauthenticated
ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients
authenticated to the HBase principal will be those embedded in the master and regionservers.

There is extraneous whitespace in code surrounding these changes.


This addresses bug HBASE-2418.
    https://issues.apache.org/jira/browse/HBASE-2418


Diffs (updated)
-----

  pom.xml c74ce25 
  src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java 05abeb7 
  src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java bb67e53 
  src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java a75cf87 
  src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java f613ba9 
  src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java PRE-CREATION 

Diff: https://reviews.apache.org/r/2837/diff


Testing
-------

These changes are running in production at Trend Micro, using a snapshot build of ZooKeeper
3.4.0.

New unit test TestZooKeeperACL passes 100 iterations. All test pass not otherwise currently
failing on trunk.


Thanks,

Andrew


                
> add support for ZooKeeper authentication
> ----------------------------------------
>
>                 Key: HBASE-2418
>                 URL: https://issues.apache.org/jira/browse/HBASE-2418
>             Project: HBase
>          Issue Type: Improvement
>          Components: master, regionserver
>            Reporter: Patrick Hunt
>            Assignee: Eugene Koontz
>            Priority: Critical
>              Labels: security, zookeeper
>             Fix For: 0.92.0
>
>
> Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than
one client service would
> like to share a single ZooKeeper service instance (cluster). In this case the client
services typically want to protect
> their data (ZK znodes) from access by other services (tenants) on the cluster. Say you
are running HBase and Solr 
> and Neo4j, or multiple HBase instances, etc... having authentication/authorization on
the znodes is important for both 
> security and helping to ensure that services don't interact negatively (touch each other's
data).
> Today HBase does not have support for authentication or authorization. This should be
added to the HBase clients
> that are accessing the ZK cluster. In general it means calling addAuthInfo once after
a session is established:
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String,
byte[])
> with a user specific credential, often times this is a shared secret or certificate.
You may be able to statically configure this
> in some cases (config string or file to read from), however in my case in particular
you may need to access it programmatically,
> which adds complexity as the end user may need to load code into HBase for accessing
the credential.
> Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily):
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html
> Feel free to ping the ZooKeeper team if you have questions. It might also be good to
discuss with some 
> potential end users - in particular regarding how the end user can specify the credential.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message