zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Koontz (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1373) Hardcoded SASL login context name clashes with Hadoop security configuration override
Date Mon, 06 Feb 2012 18:15:59 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13201438#comment-13201438
] 

Eugene Koontz commented on ZOOKEEPER-1373:
------------------------------------------

Thanks for the commit and the comments Mahadev. I'll keep thinking about how we can improve
ClientCnxn as it relates to modularity and security.
                
> Hardcoded SASL login context name clashes with Hadoop security configuration override
> -------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1373
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1373
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client
>    Affects Versions: 3.4.2
>            Reporter: Thomas Weise
>            Assignee: Eugene Koontz
>             Fix For: 3.4.3, 3.5.0
>
>         Attachments: ZOOKEEPER-1373-TW_3_4.patch, ZOOKEEPER-1373.patch, ZOOKEEPER-1373.patch,
ZOOKEEPER-1373.patch, ZOOKEEPER-1373.patch, ZOOKEEPER-1373.patch, ZOOKEEPER-1373.patch
>
>
> I'm trying to configure a process with Hadoop security (Hive metastore server) to talk
to ZooKeeper 3.4.2 with Kerberos authentication. In this scenario Hadoop controls the SASL
configuration (org.apache.hadoop.security.UserGroupInformation.HadoopConfiguration), instead
of setting up the ZooKeeper "Client" loginContext via jaas.conf and system property 
> {{-Djava.security.auth.login.config}}
> Using the Hadoop configuration would work, except that ZooKeeper client code expects
the loginContextName to be "Client" while Hadoop security will use  "hadoop-keytab-kerberos".
I verified that by changing the name in the debugger the SASL authentication succeeds while
otherwise the login configuration cannot be resolved and the connection to ZooKeeper is unauthenticated.

> To integrate with Hadoop, the following in ZooKeeperSaslClient would need to change to
make the name configurable:
>      {{login = new Login("Client",new ClientCallbackHandler(null));}}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message