Details
Description
Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than one client service would
like to share a single ZooKeeper service instance (cluster). In this case the client services typically want to protect
their data (ZK znodes) from access by other services (tenants) on the cluster. Say you are running HBase and Solr
and Neo4j, or multiple HBase instances, etc... having authentication/authorization on the znodes is important for both
security and helping to ensure that services don't interact negatively (touch each other's data).
Today HBase does not have support for authentication or authorization. This should be added to the HBase clients
that are accessing the ZK cluster. In general it means calling addAuthInfo once after a session is established:
with a user specific credential, often times this is a shared secret or certificate. You may be able to statically configure this
in some cases (config string or file to read from), however in my case in particular you may need to access it programmatically,
which adds complexity as the end user may need to load code into HBase for accessing the credential.
Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily):
http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html
Feel free to ping the ZooKeeper team if you have questions. It might also be good to discuss with some
potential end users - in particular regarding how the end user can specify the credential.
Attachments
Attachments
Issue Links
- is depended upon by
-
HBASE-3025 Coprocessor based simple access control
- Closed
-
HBASE-4960 Document mutual authentication between HBase and Zookeeper using SASL
- Closed
-
HBASE-5603 rolling-restart.sh script hangs when attempting to detect expiration of /hbase/master znode.
- Closed
-
HBASE-4791 Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
- Closed
- relates to
-
ZOOKEEPER-938 Support Kerberos authentication of clients.
- Closed
-
HBASE-1697 Discretionary access control
- Closed
-
HBASE-4376 Document login configuration when running on top of secure Hadoop with Kerberos auth enabled
- Closed