Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-938

Support Kerberos authentication of clients.

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.4.0
    • java client, server
    • None
    • Reviewed
    • ZOOKEEPER-938 : support Kerberos authentication via SASL.

    Description

      Support Kerberos authentication of clients.

      The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

      1. Admin logs into zookeeper (not necessarily through Kerberos however).

      2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

      3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa

      4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

      5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

      6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

      7. User accesses /mynode with permissions 'cdrwa'.

      Attachments

        1. jaas.conf
          0.3 kB
          Eugene Joseph Koontz
        2. NIOServerCnxn.patch
          9 kB
          Eugene Joseph Koontz
        3. sasl.patch
          42 kB
          Eugene Joseph Koontz
        4. ZOOKEEPER-938.patch
          113 kB
          Eugene Joseph Koontz
        5. ZOOKEEPER-938.patch
          113 kB
          Eugene Joseph Koontz
        6. ZOOKEEPER-938.patch
          113 kB
          Eugene Joseph Koontz
        7. ZOOKEEPER-938.patch
          82 kB
          Eugene Joseph Koontz
        8. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        9. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        10. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        11. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        12. ZOOKEEPER-938.patch
          82 kB
          Eugene Joseph Koontz
        13. ZOOKEEPER-938.patch
          83 kB
          Eugene Joseph Koontz
        14. ZOOKEEPER-938.patch
          103 kB
          Eugene Joseph Koontz
        15. ZOOKEEPER-938.patch
          105 kB
          Eugene Joseph Koontz
        16. ZOOKEEPER-938.patch
          96 kB
          Eugene Joseph Koontz
        17. ZOOKEEPER-938.patch
          95 kB
          Eugene Joseph Koontz

        Issue Links

        blocks

        New Feature - A new feature of the product, which has yet to be developed. ZOOKEEPER-1045 Support Quorum Peer mutual authentication via SASL

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed

        New Feature - A new feature of the product, which has yet to be developed. ZOOKEEPER-1112 Add support for C client for SASL authentication

        • Major - Major loss of function.
        • Closed
        is depended upon by

        Sub-task - The sub-task of the issue HBASE-3025 Coprocessor based simple access control

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1373 Hardcoded SASL login context name clashes with Hadoop security configuration override

        • Major - Major loss of function.
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1181 Fix problems with Kerberos TGT renewal

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1185 Send AuthFailed event to client if SASL authentication fails

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1195 SASL authorizedID being incorrectly set: should use getHostName() rather than getServiceName()

        • Major - Major loss of function.
        • Closed

        Improvement - An improvement or enhancement to an existing feature or task. GIRAPH-265 Enable Zookeeper security support within Giraph

        • Major - Major loss of function.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1469 Adding Cross-Realm support for secure Zookeeper client authentication

        • Major - Major loss of function.
        • Reopened
        is related to

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1920 Login thread is not shutdown when close the ClientCnxn

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Open

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1236 Security uses proprietary Sun APIs

        • Major - Major loss of function.
        • Resolved

        New Feature - A new feature of the product, which has yet to be developed. HADOOP-4487 Security features for Hadoop

        • Major - Major loss of function.
        • Closed

        Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1422 Support _HOST substitution in JAAS configuration

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HBASE-2418 add support for ZooKeeper authentication

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed
        relates to

        Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1437 Client uses session before SASL authentication complete

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1420 Kerberos principal to user mapping / authorization

        • Major - Major loss of function.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. HIVE-2467 HA Support for Metastore Server

        • Major - Major loss of function.
        • Closed

        Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-896 Improve client to support dynamic authentication schemes

        • Major - Major loss of function.
        • Patch Available
        requires

        Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-329 document how to integrate 3rd party authentication into ZK server ACLs

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ekoontz Eugene Joseph Koontz
            ekoontz Eugene Joseph Koontz
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment