Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-1420

Kerberos principal to user mapping / authorization

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.4.0
    • Fix Version/s: None
    • Component/s: server
    • Labels:
      None

      Description

      ZOOKEEPER-938 introduces server configuration options to perform a rudimentary mapping from Kerberos principal to user name:

      kerberos.removeHostFromPrincipal
      kerberos.removeRealmFromPrincipal

      Those are sufficient to make things work for HBase and other server clusters where we cannot include the host name portion into the znode ACL, but it would be better to support a more standard approach to perform the mapping with finer grained control (i.e. do this only for specific matching principals).

      Mapping in Hadoop: https://ccp.cloudera.com/display/CDHDOC/Appendix+C+-+Configuring+the+Mapping+from+Kerberos+Principals+to+Short+Names

      As an alternative, a matching option at the time of ACL check that can be controlled by the process assigning ACLs to znodes could also serve the purpose. For example, principals:

      user/host1@TEST.DOMAIN
      user/host2@TEST.DOMAIN

      would have access to a znode with ACL set as:

      sasl:user/host*@TEST.DOMAIN:cdrwa

      This would not require ZK server configuration, but add more runtime overhead.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                thw Thomas Weise
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: