Review Board 1.7.22


Add support for SASL authentication of embedded HBase ZooKeeper clients and protected znodes

Review Request #2837 - Created Nov. 15, 2011 and submitted

Andrew Purtell
0.92, trunk
HBASE-2418
Reviewers
hbase
ekoontz, ghelmling
hbase-git
These changes add support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0, currently at RC2. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control).

SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example:

  Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/hbase/conf/hbase.keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/$HOSTNAME";
  };
  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="/etc/hbase/conf/hbase.keytab"
    principal="hbase/$HOSTNAME";
  };

and then configure both the client and server processes to use it, for example in hbase-site.xml:

  HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"

HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers.

There is extraneous whitespace in code surrounding these changes.
These changes are running in production at Trend Micro, using a snapshot build of ZooKeeper 3.4.0.

New unit test TestZooKeeperACL passes 100 iterations. All test pass not otherwise currently failing on trunk.
Review request changed
Updated (Nov. 19, 2011, 1:36 a.m.)
Rebased to trunk.

Updated TestZooKeeperACL so it won't break the build if Hadoop is missing HADOOP-7070, but the issue will be logged at WARN in the test output. (-P security selects an artifact that includes it.)
Posted (Nov. 19, 2011, 1:43 a.m.)

   

  
Missing 'return' here will be added upon commit.