Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-2418

add support for ZooKeeper authentication

    XMLWordPrintableJSON

Details

    • Reviewed
    • Hide
      This adds support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control).

      SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example:

        Server {
          com.sun.security.auth.module.Krb5LoginModule required
          useKeyTab=true
          keyTab="/etc/hbase/conf/hbase.keytab"
          storeKey=true
          useTicketCache=false
          principal="zookeeper/$HOSTNAME";
        };
        Client {
          com.sun.security.auth.module.Krb5LoginModule required
          useKeyTab=true
          useTicketCache=false
          keyTab="/etc/hbase/conf/hbase.keytab"
          principal="hbase/$HOSTNAME";
        };

      and then configure both the client and server processes to use it, for example in hbase-site.xml:

        HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
        HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
        HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"

      HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers.

      We will pull in a Hadoop artifact patched with HADOOP-7070 if building under the security profile (-P security). 0.20.205 does not yet include HADOOP-7070. Without it, the JAAS configuration required for secure operation of the ZooKeeper client will be ignored.
      Show
      This adds support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control). SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example:   Server {     com.sun.security.auth.module.Krb5LoginModule required     useKeyTab=true     keyTab="/etc/hbase/conf/hbase.keytab"     storeKey=true     useTicketCache=false     principal="zookeeper/$HOSTNAME";   };   Client {     com.sun.security.auth.module.Krb5LoginModule required     useKeyTab=true     useTicketCache=false     keyTab="/etc/hbase/conf/hbase.keytab"     principal="hbase/$HOSTNAME";   }; and then configure both the client and server processes to use it, for example in hbase-site.xml:   HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"   HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"   HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true" HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers. We will pull in a Hadoop artifact patched with HADOOP-7070 if building under the security profile (-P security). 0.20.205 does not yet include HADOOP-7070 . Without it, the JAAS configuration required for secure operation of the ZooKeeper client will be ignored.

    Description

      Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that more than one client service would
      like to share a single ZooKeeper service instance (cluster). In this case the client services typically want to protect
      their data (ZK znodes) from access by other services (tenants) on the cluster. Say you are running HBase and Solr
      and Neo4j, or multiple HBase instances, etc... having authentication/authorization on the znodes is important for both
      security and helping to ensure that services don't interact negatively (touch each other's data).

      Today HBase does not have support for authentication or authorization. This should be added to the HBase clients
      that are accessing the ZK cluster. In general it means calling addAuthInfo once after a session is established:

      http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String, byte[])

      with a user specific credential, often times this is a shared secret or certificate. You may be able to statically configure this
      in some cases (config string or file to read from), however in my case in particular you may need to access it programmatically,
      which adds complexity as the end user may need to load code into HBase for accessing the credential.

      Secondly you need to specify a non "world" ACL when interacting with znodes (create primarily):
      http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html
      http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html

      Feel free to ping the ZooKeeper team if you have questions. It might also be good to discuss with some
      potential end users - in particular regarding how the end user can specify the credential.

      Attachments

        1. HBASE-2418-6.patch
          25 kB
          Andrew Kyle Purtell
        2. HBASE-2418-6.patch
          25 kB
          Andrew Kyle Purtell
        3. 2418.addendum
          0.6 kB
          Ted Yu

        Issue Links

          is depended upon by

          Sub-task - The sub-task of the issue HBASE-3025 Coprocessor based simple access control

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Sub-task - The sub-task of the issue HBASE-4960 Document mutual authentication between HBase and Zookeeper using SASL

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. HBASE-5603 rolling-restart.sh script hangs when attempting to detect expiration of /hbase/master znode.

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. HBASE-4791 Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)

          • Major - Major loss of function.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. ZOOKEEPER-938 Support Kerberos authentication of clients.

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. HBASE-1697 Discretionary access control

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. HBASE-4376 Document login configuration when running on top of secure Hadoop with Kerberos auth enabled

          • Major - Major loss of function.
          • Closed

          Activity

            People

              ekoontz Eugene Joseph Koontz
              phunt Patrick D. Hunt
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: