ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-938

Support Kerberos authentication of clients.

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4.0
    • Component/s: java client, server
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      ZOOKEEPER-938 : support Kerberos authentication via SASL.

      Description

      Support Kerberos authentication of clients.

      The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

      1. Admin logs into zookeeper (not necessarily through Kerberos however).

      2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

      3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa

      4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

      5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

      6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

      7. User accesses /mynode with permissions 'cdrwa'.

      1. NIOServerCnxn.patch
        9 kB
        Eugene Koontz
      2. sasl.patch
        42 kB
        Eugene Koontz
      3. jaas.conf
        0.3 kB
        Eugene Koontz
      4. ZOOKEEPER-938.patch
        95 kB
        Eugene Koontz
      5. ZOOKEEPER-938.patch
        96 kB
        Eugene Koontz
      6. ZOOKEEPER-938.patch
        105 kB
        Eugene Koontz
      7. ZOOKEEPER-938.patch
        103 kB
        Eugene Koontz
      8. ZOOKEEPER-938.patch
        83 kB
        Eugene Koontz
      9. ZOOKEEPER-938.patch
        82 kB
        Eugene Koontz
      10. ZOOKEEPER-938.patch
        81 kB
        Eugene Koontz
      11. ZOOKEEPER-938.patch
        81 kB
        Eugene Koontz
      12. ZOOKEEPER-938.patch
        81 kB
        Eugene Koontz
      13. ZOOKEEPER-938.patch
        81 kB
        Eugene Koontz
      14. ZOOKEEPER-938.patch
        82 kB
        Eugene Koontz
      15. ZOOKEEPER-938.patch
        113 kB
        Eugene Koontz
      16. ZOOKEEPER-938.patch
        113 kB
        Eugene Koontz
      17. ZOOKEEPER-938.patch
        113 kB
        Eugene Koontz

        Issue Links

          Activity

          Eugene Koontz created issue -
          Eugene Koontz made changes -
          Field Original Value New Value
          Link This issue relates to ZOOKEEPER-896 [ ZOOKEEPER-896 ]
          Eugene Koontz made changes -
          Attachment NIOServerCnxn.patch [ 12460284 ]
          Mahadev konar made changes -
          Fix Version/s 3.4.0 [ 12314469 ]
          Eugene Koontz made changes -
          Link This issue requires ZOOKEEPER-329 [ ZOOKEEPER-329 ]
          Eugene Koontz made changes -
          Attachment sasl.patch [ 12467920 ]
          Mahadev konar made changes -
          Assignee Eugene Koontz [ ekoontz ]
          Eugene Koontz made changes -
          Attachment jaas.conf [ 12467937 ]
          Andrew Purtell made changes -
          Link This issue blocks HBASE-3025 [ HBASE-3025 ]
          Eugene Koontz made changes -
          Link This issue is related to HBASE-2418 [ HBASE-2418 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note Adds SASL authentication with two supported mechanisms: DIGEST-MD5 and GSSAPI.
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470334 ]
          Patrick Hunt made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note Adds SASL authentication with two supported mechanisms: DIGEST-MD5 and GSSAPI. -Adds SASL authentication with two supported mechanisms: DIGEST-MD5 and GSSAPI.
          -Add one new test : (SaslAuthTest)
          -Use --no-prefix with git diff (Thanks to Patrick Hunt)
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470648 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470334 ]
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note -Adds SASL authentication with two supported mechanisms: DIGEST-MD5 and GSSAPI.
          -Add one new test : (SaslAuthTest)
          -Use --no-prefix with git diff (Thanks to Patrick Hunt)
          -Now two tests: SaslAuthTest and SaslAuthFailTest
          -Fix findbugs errors and warnings
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470866 ]
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note -Now two tests: SaslAuthTest and SaslAuthFailTest
          -Fix findbugs errors and warnings
          -Now two tests: SaslAuthTest and SaslAuthFailTest
          -Fix findbugs errors and warnings
          -Fix javadoc warnings
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470877 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470648 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470866 ]
          Eugene Koontz made changes -
          Component/s java client [ 12312381 ]
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470877 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470889 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470889 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470890 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12471140 ]
          Eugene Koontz made changes -
          Link This issue is blocked by ZOOKEEPER-1004 [ ZOOKEEPER-1004 ]
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474560 ]
          Eugene Koontz made changes -
          Release Note -Now two tests: SaslAuthTest and SaslAuthFailTest
          -Fix findbugs errors and warnings
          -Fix javadoc warnings
          Addresses Kan Zhang's comments:

          -adds credential-refreshing LoginThread class for both Zookeeper client and server.
          -removes 'addcred' command that was only useful for development and testing of DIGEST-MD5 with SASL: unnecessary and unsafe to add passwords by command-line, especially without authentication and encryption
          Status Open [ 1 ] Patch Available [ 10002 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474560 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12470890 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12471140 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474660 ]
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note Addresses Kan Zhang's comments:

          -adds credential-refreshing LoginThread class for both Zookeeper client and server.
          -removes 'addcred' command that was only useful for development and testing of DIGEST-MD5 with SASL: unnecessary and unsafe to add passwords by command-line, especially without authentication and encryption
          Fixes findbugs warnings.
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474660 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474661 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474661 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474671 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note Fixes findbugs warnings.
          Fixes javadoc warnings.
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12474845 ]
          Eugene Koontz made changes -
          Release Note Fixes javadoc warnings.
          move java system property check up one level for simplicity of determining whether SASL is enabled or not.
          Status Open [ 1 ] Patch Available [ 10002 ]
          Eugene Koontz made changes -
          Link This issue blocks ZOOKEEPER-1045 [ ZOOKEEPER-1045 ]
          Eugene Koontz made changes -
          Description Support Keberos authentication of clients.

          The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

          1. Admin logs into zookeeper (not necessarily through Kerberos however).

          2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

          3. Admin does: zk> create /mynode content kerb:zkclient@FOOFERS.ORG:x:cdrwa

          (note: for now, the dummy ':x' is a placeholder for the password, and is required by the zk command parser. The user's actual password is not stored within Zookeeper; simply put 'x' there.)

          4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

          5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

          6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

          7. User accesses /mynode with permissions 'cdrwa'.
          Support Keberos authentication of clients.

          The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

          1. Admin logs into zookeeper (not necessarily through Kerberos however).

          2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

          3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa

          4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

          5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

          6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

          7. User accesses /mynode with permissions 'cdrwa'.
          Eugene Koontz made changes -
          Link This issue is blocked by ZOOKEEPER-1004 [ ZOOKEEPER-1004 ]
          Eugene Koontz made changes -
          Summary support Kerberos Authentication r
          Description Support Keberos authentication of clients.

          The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

          1. Admin logs into zookeeper (not necessarily through Kerberos however).

          2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

          3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa

          4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

          5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

          6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

          7. User accesses /mynode with permissions 'cdrwa'.
          Support Kerberos authentication of clients.

          The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

          1. Admin logs into zookeeper (not necessarily through Kerberos however).

          2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

          3. Admin does: zk> create /mynode content sasl:zkclient@FOOFERS.ORG:cdrwa

          4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

          5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

          6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

          7. User accesses /mynode with permissions 'cdrwa'.
          Mahadev konar made changes -
          Summary r Support Kerberos authentication of clients.
          Eugene Koontz made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Mahadev konar made changes -
          Fix Version/s 3.5.0 [ 12316644 ]
          Fix Version/s 3.4.0 [ 12314469 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Release Note move java system property check up one level for simplicity of determining whether SASL is enabled or not.
          ZOOKEEPER-938 : support Kerberos authentication via SASL.
          Fix Version/s 3.4.0 [ 12314469 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12483225 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12483225 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12483226 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12483336 ]
          Eugene Koontz made changes -
          Link This issue blocks ZOOKEEPER-1112 [ ZOOKEEPER-1112 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485455 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485457 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485475 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485615 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485625 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485628 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12485860 ]
          Mahadev konar made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12488281 ]
          Eugene Koontz made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12489872 ]
          Eugene Koontz made changes -
          Attachment ZOOKEEPER-938.patch [ 12490160 ]
          Benjamin Reed made changes -
          Hadoop Flags [Reviewed]
          Mahadev konar made changes -
          Fix Version/s 3.5.0 [ 12316644 ]
          Mahadev konar made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Eugene Koontz made changes -
          Link This issue blocks ZOOKEEPER-1181 [ ZOOKEEPER-1181 ]
          Eugene Koontz made changes -
          Link This issue blocks ZOOKEEPER-1185 [ ZOOKEEPER-1185 ]
          Eugene Koontz made changes -
          Link This issue blocks ZOOKEEPER-1195 [ ZOOKEEPER-1195 ]
          Eugene Koontz made changes -
          Link This issue is related to ZOOKEEPER-1236 [ ZOOKEEPER-1236 ]
          Mahadev konar made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Thomas Weise made changes -
          Link This issue relates to HIVE-2467 [ HIVE-2467 ]
          Eugene Koontz made changes -
          Link This issue is depended upon by ZOOKEEPER-1373 [ ZOOKEEPER-1373 ]
          Eugene Koontz made changes -
          Link This issue is related to HADOOP-4487 [ HADOOP-4487 ]
          Thomas Weise made changes -
          Link This issue relates to ZOOKEEPER-1420 [ ZOOKEEPER-1420 ]
          Eugene Koontz made changes -
          Link This issue blocks ZOOKEEPER-1469 [ ZOOKEEPER-1469 ]
          Eugene Koontz made changes -
          Link This issue relates to ZOOKEEPER-1437 [ ZOOKEEPER-1437 ]
          Eugene Koontz made changes -
          Link This issue blocks GIRAPH-265 [ GIRAPH-265 ]
          Gavin made changes -
          Link This issue blocks HBASE-3025 [ HBASE-3025 ]
          Gavin made changes -
          Link This issue is depended upon by HBASE-3025 [ HBASE-3025 ]
          Gavin made changes -
          Link This issue blocks ZOOKEEPER-1181 [ ZOOKEEPER-1181 ]
          Gavin made changes -
          Link This issue is depended upon by ZOOKEEPER-1181 [ ZOOKEEPER-1181 ]
          Gavin made changes -
          Link This issue blocks ZOOKEEPER-1185 [ ZOOKEEPER-1185 ]
          Gavin made changes -
          Link This issue is depended upon by ZOOKEEPER-1185 [ ZOOKEEPER-1185 ]
          Gavin made changes -
          Link This issue blocks ZOOKEEPER-1195 [ ZOOKEEPER-1195 ]
          Gavin made changes -
          Link This issue is depended upon by ZOOKEEPER-1195 [ ZOOKEEPER-1195 ]
          Gavin made changes -
          Link This issue blocks ZOOKEEPER-1469 [ ZOOKEEPER-1469 ]
          Gavin made changes -
          Link This issue is depended upon by ZOOKEEPER-1469 [ ZOOKEEPER-1469 ]
          Gavin made changes -
          Link This issue blocks GIRAPH-265 [ GIRAPH-265 ]
          Gavin made changes -
          Link This issue is depended upon by GIRAPH-265 [ GIRAPH-265 ]
          Eugene Koontz made changes -
          Link This issue is related to ZOOKEEPER-1422 [ ZOOKEEPER-1422 ]
          Eugene Koontz made changes -
          Link This issue is related to ZOOKEEPER-1920 [ ZOOKEEPER-1920 ]

            People

            • Assignee:
              Eugene Koontz
              Reporter:
              Eugene Koontz
            • Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development