Details

    • Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.1 (pre-incubation)
    • Component/s: sql-security
    • Labels:
      None

      Description

      As part of Kerberozing “Trafodion, we want to secure the Trafodion DCS/MXOSRVR data in ZooKeeper, specifically apply the ACL “auth:sasl:crdwa” to all /trafodion znodes. The default ACL seems to be “world:anyone:crdwa”, which means fully open access for everyone.

      Once the /trafodion znodes are secured, the ZooKeeper client must authenticate with Kerberos to access the data. DCS can do this with the ZooKeeper Java client, after a one-line configuration change in dcs-env.sh. However, MXOSRVR cannot do this because it uses the ZooKeeper C client, which doesn’t support Kerberos authentication (see http://mail-archives.apache.org/mod_mbox/zookeeper-user/201505.mbox/%3CCANLc_9J6b4QCs5QXPFVp7myiOMOMboVme%3DDUNBh4Y-9hY7rHDQ%40mail.gmail.com%3E).

      Possible Solutions:

      1. Change MXOSRVR to use JNI for all ZooKeeper calls.

      2. Reimplement MXOSRVR in Java within the multi-threaded DCS (a new architecture for MXOSRVR). Until then, use non-secure ACLs for the /trafodion znodes. To be clear, other znodes would still be secured (e.g., HBase, Hive), this issue only affects the /trafodion znodes used by DCS/MXOSRVR. As far as we can tell, the worst case security impact is that someone could delete/modify the trafodion znodes to cause a Denial of Service (DoS) attack; customer data would not be compromised.

      3. Complete the work for https://issues.apache.org/jira/browse/ZOOKEEPER-1112 in the ZooKeeper open source project.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              rmarton Roberta Marton
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: