Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-938

Support Kerberos authentication of clients.

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.4.0
    • java client, server
    • None
    • Reviewed
    • ZOOKEEPER-938 : support Kerberos authentication via SASL.

    Description

      Support Kerberos authentication of clients.

      The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

      1. Admin logs into zookeeper (not necessarily through Kerberos however).

      2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

      3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa

      4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

      5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

      6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

      7. User accesses /mynode with permissions 'cdrwa'.

      Attachments

        1. ZOOKEEPER-938.patch
          95 kB
          Eugene Joseph Koontz
        2. ZOOKEEPER-938.patch
          96 kB
          Eugene Joseph Koontz
        3. ZOOKEEPER-938.patch
          105 kB
          Eugene Joseph Koontz
        4. ZOOKEEPER-938.patch
          103 kB
          Eugene Joseph Koontz
        5. ZOOKEEPER-938.patch
          83 kB
          Eugene Joseph Koontz
        6. ZOOKEEPER-938.patch
          82 kB
          Eugene Joseph Koontz
        7. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        8. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        9. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        10. ZOOKEEPER-938.patch
          81 kB
          Eugene Joseph Koontz
        11. ZOOKEEPER-938.patch
          82 kB
          Eugene Joseph Koontz
        12. ZOOKEEPER-938.patch
          113 kB
          Eugene Joseph Koontz
        13. ZOOKEEPER-938.patch
          113 kB
          Eugene Joseph Koontz
        14. ZOOKEEPER-938.patch
          113 kB
          Eugene Joseph Koontz
        15. sasl.patch
          42 kB
          Eugene Joseph Koontz
        16. NIOServerCnxn.patch
          9 kB
          Eugene Joseph Koontz
        17. jaas.conf
          0.3 kB
          Eugene Joseph Koontz

        Issue Links

          blocks

          New Feature - A new feature of the product, which has yet to be developed. ZOOKEEPER-1045 Support Quorum Peer mutual authentication via SASL

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. ZOOKEEPER-1112 Add support for C client for SASL authentication

          • Major - Major loss of function.
          • Closed
          is depended upon by

          Sub-task - The sub-task of the issue HBASE-3025 Coprocessor based simple access control

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1373 Hardcoded SASL login context name clashes with Hadoop security configuration override

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1181 Fix problems with Kerberos TGT renewal

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1185 Send AuthFailed event to client if SASL authentication fails

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1195 SASL authorizedID being incorrectly set: should use getHostName() rather than getServiceName()

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. GIRAPH-265 Enable Zookeeper security support within Giraph

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1469 Adding Cross-Realm support for secure Zookeeper client authentication

          • Major - Major loss of function.
          • Reopened
          is related to

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1920 Login thread is not shutdown when close the ClientCnxn

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1236 Security uses proprietary Sun APIs

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-4487 Security features for Hadoop

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1422 Support _HOST substitution in JAAS configuration

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HBASE-2418 add support for ZooKeeper authentication

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. ZOOKEEPER-1437 Client uses session before SASL authentication complete

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1420 Kerberos principal to user mapping / authorization

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-2467 HA Support for Metastore Server

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-896 Improve client to support dynamic authentication schemes

          • Major - Major loss of function.
          • Patch Available
          requires

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-329 document how to integrate 3rd party authentication into ZK server ACLs

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              ekoontz Eugene Joseph Koontz
              ekoontz Eugene Joseph Koontz
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: