• Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.1 (pre-incubation)
    • Component/s: sql-security
    • Labels:


      As part of Kerberozing “Trafodion, we want to secure the Trafodion DCS/MXOSRVR data in ZooKeeper, specifically apply the ACL “auth:sasl:crdwa” to all /trafodion znodes. The default ACL seems to be “world:anyone:crdwa”, which means fully open access for everyone.

      Once the /trafodion znodes are secured, the ZooKeeper client must authenticate with Kerberos to access the data. DCS can do this with the ZooKeeper Java client, after a one-line configuration change in However, MXOSRVR cannot do this because it uses the ZooKeeper C client, which doesn’t support Kerberos authentication (see

      Possible Solutions:

      1. Change MXOSRVR to use JNI for all ZooKeeper calls.

      2. Reimplement MXOSRVR in Java within the multi-threaded DCS (a new architecture for MXOSRVR). Until then, use non-secure ACLs for the /trafodion znodes. To be clear, other znodes would still be secured (e.g., HBase, Hive), this issue only affects the /trafodion znodes used by DCS/MXOSRVR. As far as we can tell, the worst case security impact is that someone could delete/modify the trafodion znodes to cause a Denial of Service (DoS) attack; customer data would not be compromised.

      3. Complete the work for in the ZooKeeper open source project.




            • Assignee:
              rmarton Roberta Marton
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: