Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1815B774E for ; Tue, 15 Nov 2011 21:02:22 +0000 (UTC) Received: (qmail 91418 invoked by uid 500); 15 Nov 2011 21:02:21 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 91369 invoked by uid 500); 15 Nov 2011 21:02:21 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 91314 invoked by uid 99); 15 Nov 2011 21:02:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Nov 2011 21:02:21 +0000 X-ASF-Spam-Status: No, hits=-2001.2 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Nov 2011 21:02:16 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id E2B3786128 for ; Tue, 15 Nov 2011 21:01:56 +0000 (UTC) Date: Tue, 15 Nov 2011 21:01:56 +0000 (UTC) From: "jiraposter@reviews.apache.org (Commented) (JIRA)" To: issues@hbase.apache.org Message-ID: <241417657.32482.1321390916930.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (HBASE-2418) add support for ZooKeeper authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13150772#comment-13150772 ] jiraposter@reviews.apache.org commented on HBASE-2418: ------------------------------------------------------ ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/2837/#review3277 ----------------------------------------------------------- src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java Maybe add something about final test, since we are summarizing the other tests: "Finally, we check the ACLs of a node outside of the /hbase hierarchy and verify that its ACL is simply 'hbase:Perms.ALL'." - Eugene On 2011-11-15 19:43:37, Andrew Purtell wrote: bq. bq. ----------------------------------------------------------- bq. This is an automatically generated e-mail. To reply, visit: bq. https://reviews.apache.org/r/2837/ bq. ----------------------------------------------------------- bq. bq. (Updated 2011-11-15 19:43:37) bq. bq. bq. Review request for hbase, Gary Helmling and Eugene Koontz. bq. bq. bq. Summary bq. ------- bq. bq. These changes add support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0, currently at RC2. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control). bq. bq. SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example: bq. bq. Server { bq. com.sun.security.auth.module.Krb5LoginModule required bq. useKeyTab=true bq. keyTab="/etc/hbase/conf/hbase.keytab" bq. storeKey=true bq. useTicketCache=false bq. principal="zookeeper/$HOSTNAME"; bq. }; bq. Client { bq. com.sun.security.auth.module.Krb5LoginModule required bq. useKeyTab=true bq. useTicketCache=false bq. keyTab="/etc/hbase/conf/hbase.keytab" bq. principal="hbase/$HOSTNAME"; bq. }; bq. bq. and then configure both the client and server processes to use it, for example in hbase-site.xml: bq. bq. HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf" bq. HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true" bq. HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true" bq. bq. HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers. bq. bq. There is extraneous whitespace in code surrounding these changes. bq. bq. bq. This addresses bug HBASE-2418. bq. https://issues.apache.org/jira/browse/HBASE-2418 bq. bq. bq. Diffs bq. ----- bq. bq. src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java f613ba9 bq. src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java PRE-CREATION bq. src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java a75cf87 bq. src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java bb67e53 bq. pom.xml c74ce25 bq. src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java 05abeb7 bq. bq. Diff: https://reviews.apache.org/r/2837/diff bq. bq. bq. Testing bq. ------- bq. bq. These changes are running in production at Trend Micro, using a snapshot build of ZooKeeper 3.4.0. bq. bq. New unit test TestZooKeeperACL passes 100 iterations. All test pass not otherwise currently failing on trunk. bq. bq. bq. Thanks, bq. bq. Andrew bq. bq. > add support for ZooKeeper authentication > ---------------------------------------- > > Key: HBASE-2418 > URL: https://issues.apache.org/jira/browse/HBASE-2418 > Project: HBase > Issue Type: Improvement > Components: master, regionserver > Reporter: Patrick Hunt > Assignee: Eugene Koontz > Priority: Critical > Labels: security, zookeeper > > Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than one client service would > like to share a single ZooKeeper service instance (cluster). In this case the client services typically want to protect > their data (ZK znodes) from access by other services (tenants) on the cluster. Say you are running HBase and Solr > and Neo4j, or multiple HBase instances, etc... having authentication/authorization on the znodes is important for both > security and helping to ensure that services don't interact negatively (touch each other's data). > Today HBase does not have support for authentication or authorization. This should be added to the HBase clients > that are accessing the ZK cluster. In general it means calling addAuthInfo once after a session is established: > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String, byte[]) > with a user specific credential, often times this is a shared secret or certificate. You may be able to statically configure this > in some cases (config string or file to read from), however in my case in particular you may need to access it programmatically, > which adds complexity as the end user may need to load code into HBase for accessing the credential. > Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily): > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html > Feel free to ping the ZooKeeper team if you have questions. It might also be good to discuss with some > potential end users - in particular regarding how the end user can specify the credential. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira