zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Reed (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-938) Support Kerberos authentication of clients.
Date Sun, 07 Aug 2011 06:19:27 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080545#comment-13080545
] 

Benjamin Reed commented on ZOOKEEPER-938:
-----------------------------------------

sorry for being off the grid. last week was not good.

great job eugene. overall it looks good. two minor cleanup things: 1) since we aren't pushing
sasl through the pipeline, we should remove it from the Request class. 2) in the code you
added to ZooKeeperServer can you move that big piece of code in the if clause to a function
called processSasl() or something like that?

KerberosName and Shell use sun.* classes, which cause warnings on the build and may cause
problems on non-sun jvms. is there any workarounds? or are those classes exposed through java.*
or javax.* classes? we either need to fix or document.

> Support Kerberos authentication of clients.
> -------------------------------------------
>
>                 Key: ZOOKEEPER-938
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-938
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: java client, server
>            Reporter: Eugene Koontz
>            Assignee: Eugene Koontz
>             Fix For: 3.4.0, 3.5.0
>
>         Attachments: NIOServerCnxn.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch,
ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch,
ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, jaas.conf,
sasl.patch
>
>
> Support Kerberos authentication of clients. 
> The following usage would let an admin use Kerberos authentication to assign ACLs to
authenticated clients.
> 1. Admin logs into zookeeper (not necessarily through Kerberos however). 
> 2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient'
and have full permissions on this.
> 3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa
> 4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.
> 5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).
> 6. Behind the scenes, the client and server exchange authentication information. User
is now authenticated as 'zkclient'.
> 7. User accesses /mynode with permissions 'cdrwa'.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message