hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-2418) add support for ZooKeeper authentication
Date Sat, 19 Nov 2011 18:06:52 GMT

    [ https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13153538#comment-13153538
] 

Andrew Purtell commented on HBASE-2418:
---------------------------------------

bq. Could the TestAdmin be because of this patch A?

I don't see it locally. 

This change in the patch could be suspect but it's a shot in the dark:

{code}
--- src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java
+++ src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java
@@ -148,11 +156,14 @@ public class MiniZooKeeperCluster {
         tickTimeToUse = TICK_TIME;
       }
       ZooKeeperServer server = new ZooKeeperServer(dir, dir, tickTimeToUse);
-      NIOServerCnxn.Factory standaloneServerFactory;
+      NIOServerCnxnFactory standaloneServerFactory;
       while (true) {
         try {
-          standaloneServerFactory = new NIOServerCnxn.Factory(
-              new InetSocketAddress(tentativePort));
+          standaloneServerFactory = new NIOServerCnxnFactory();
+          standaloneServerFactory.configure(
+            new InetSocketAddress(tentativePort),
+            configuration.getInt(HConstants.ZOOKEEPER_MAX_CLIENT_CNXNS,
+              HConstants.DEFAULT_ZOOKEPER_MAX_CLIENT_CNXNS));
         } catch (BindException e) {
           LOG.debug("Failed binding ZK Server to client port: " +
               tentativePort);
{code}

I could change HConstants.DEFAULT_ZOOKEPER_MAX_CLIENT_CNXNS here to 1000 and resubmit.
                
> add support for ZooKeeper authentication
> ----------------------------------------
>
>                 Key: HBASE-2418
>                 URL: https://issues.apache.org/jira/browse/HBASE-2418
>             Project: HBase
>          Issue Type: Improvement
>          Components: master, regionserver
>            Reporter: Patrick Hunt
>            Assignee: Eugene Koontz
>            Priority: Critical
>              Labels: security, zookeeper
>             Fix For: 0.92.0
>
>         Attachments: HBASE-2418-5.patch, HBASE-2418-5.patch, HBASE-2418-5.patch
>
>
> Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than
one client service would
> like to share a single ZooKeeper service instance (cluster). In this case the client
services typically want to protect
> their data (ZK znodes) from access by other services (tenants) on the cluster. Say you
are running HBase and Solr 
> and Neo4j, or multiple HBase instances, etc... having authentication/authorization on
the znodes is important for both 
> security and helping to ensure that services don't interact negatively (touch each other's
data).
> Today HBase does not have support for authentication or authorization. This should be
added to the HBase clients
> that are accessing the ZK cluster. In general it means calling addAuthInfo once after
a session is established:
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String,
byte[])
> with a user specific credential, often times this is a shared secret or certificate.
You may be able to statically configure this
> in some cases (config string or file to read from), however in my case in particular
you may need to access it programmatically,
> which adds complexity as the end user may need to load code into HBase for accessing
the credential.
> Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily):
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
> http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html
> Feel free to ping the ZooKeeper team if you have questions. It might also be good to
discuss with some 
> potential end users - in particular regarding how the end user can specify the credential.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message