Details
-
Sub-task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
As part of Kerberozing “Trafodion, we want to secure the Trafodion DCS/MXOSRVR data in ZooKeeper, specifically apply the ACL “auth:sasl:crdwa” to all /trafodion znodes. The default ACL seems to be “world:anyone:crdwa”, which means fully open access for everyone.
Once the /trafodion znodes are secured, the ZooKeeper client must authenticate with Kerberos to access the data. DCS can do this with the ZooKeeper Java client, after a one-line configuration change in dcs-env.sh. However, MXOSRVR cannot do this because it uses the ZooKeeper C client, which doesn’t support Kerberos authentication (see http://mail-archives.apache.org/mod_mbox/zookeeper-user/201505.mbox/%3CCANLc_9J6b4QCs5QXPFVp7myiOMOMboVme%3DDUNBh4Y-9hY7rHDQ%40mail.gmail.com%3E).
Possible Solutions:
1. Change MXOSRVR to use JNI for all ZooKeeper calls.
2. Reimplement MXOSRVR in Java within the multi-threaded DCS (a new architecture for MXOSRVR). Until then, use non-secure ACLs for the /trafodion znodes. To be clear, other znodes would still be secured (e.g., HBase, Hive), this issue only affects the /trafodion znodes used by DCS/MXOSRVR. As far as we can tell, the worst case security impact is that someone could delete/modify the trafodion znodes to cause a Denial of Service (DoS) attack; customer data would not be compromised.
3. Complete the work for https://issues.apache.org/jira/browse/ZOOKEEPER-1112 in the ZooKeeper open source project.