I'm starting to work on this. Here's the plan:
integrate with ZK authentication (kerberos or password-based)
Based on https://github.com/ekoontz/zookeeper/wiki and http://hbase.apache.org/configuration.html#zk.sasl.auth it looks like the SASL setup is a bit complicated, though entirely configuration based. I think for a first pass we should be OK to just use password-based authentication for ZK. I think this is sufficient because we have a well-defined set of clients that need to access these znodes, and they don't contain any content that needs to be encrypted over the wire. We can add SASL support later.
allow the user to configure ACLs for the relevant znodes
This is reasonably straightforward - just needs some additional configuration keys to specify the ACL, and then tying it in to where we create the znodes.
add keytab configuration and login to the ZKFC daemons
I think it should be OK to re-use the namenode principals here. That simplifies deployment since it avoids having to add new principals to the KDC, and given that the ZKFCs are intended to run on the same machines as the NNs, they will have access to the keytab files by default. Please speak up if you think we need separate keytabs/principals for the ZKFC daemons.
ensure that the RPCs made by the health monitor and failover controller properly authenticate to the target daemons
This is just a matter of making sure we set up the target principal in the Configuration, and do the proper login/doAs before we start the main ZKFC code.