Review Board 1.7.22


Add support for SASL authentication of embedded HBase ZooKeeper clients and protected znodes

Review Request #2837 - Created Nov. 15, 2011 and submitted

Andrew Purtell
0.92, trunk
HBASE-2418
Reviewers
hbase
ekoontz, ghelmling
hbase-git
These changes add support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0, currently at RC2. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control).

SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example:

  Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/hbase/conf/hbase.keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/$HOSTNAME";
  };
  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="/etc/hbase/conf/hbase.keytab"
    principal="hbase/$HOSTNAME";
  };

and then configure both the client and server processes to use it, for example in hbase-site.xml:

  HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"

HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers.

There is extraneous whitespace in code surrounding these changes.
These changes are running in production at Trend Micro, using a snapshot build of ZooKeeper 3.4.0.

New unit test TestZooKeeperACL passes 100 iterations. All test pass not otherwise currently failing on trunk.
pom.xml
Revision c74ce25 New Change
[20] 241 lines
[+20]
242
      <url>http://repository.jboss.org/nexus/content/groups/public-jboss/</url>
242
      <url>http://repository.jboss.org/nexus/content/groups/public-jboss/</url>
243
      <snapshots>
243
      <snapshots>
244
        <enabled>false</enabled>
244
        <enabled>false</enabled>
245
      </snapshots>
245
      </snapshots>
246
    </repository>
246
    </repository>

    
   
247
    <!-- snapshot builds of Hadoop and ZooKeeper for testing -->

    
   
248
    <repository>

    
   
249
      <id>ghelmling.testing</id>

    
   
250
      <name>Gary Helmling test repo</name>

    
   
251
      <url>http://people.apache.org/~garyh/mvn/</url>

    
   
252
      <snapshots>

    
   
253
        <enabled>true</enabled>

    
   
254
      </snapshots>

    
   
255
      <releases>

    
   
256
        <enabled>true</enabled>

    
   
257
      </releases>

    
   
258
    </repository>
247
  </repositories>
259
  </repositories>
248

    
   
260

   
249
  <build>
261
  <build>
250
    <!-- Some plugins (javadoc for example) can be used in the normal build- and the site phase.
262
    <!-- Some plugins (javadoc for example) can be used in the normal build- and the site phase.
251
         These plugins inherit their options from the <reporting> section below. These settings
263
         These plugins inherit their options from the <reporting> section below. These settings
[+20] [20] 1081 lines
[+20]
1333
        <myParallelMode>none</myParallelMode>
1345
        <myParallelMode>none</myParallelMode>
1334
        <myThreadCount>1</myThreadCount>          
1346
        <myThreadCount>1</myThreadCount>          
1335
      </properties>
1347
      </properties>
1336
    </profile>     
1348
    </profile>     
1337

    
   
1349

   

    
   
1350
    <!-- profile for building against Hadoop 0.20+security-->

    
   
1351
    <profile>

    
   
1352
      <id>security</id>

    
   
1353
      <properties>

    
   
1354
        <zookeeper.version>3.4.0-SNAPSHOT</zookeeper.version>

    
   
1355
      </properties>

    
   
1356
      <build>

    
   
1357
        <finalName>${artifactId}-${version}-security</finalName>

    
   
1358
        <plugins>

    
   
1359
          <plugin>

    
   
1360
            <groupId>org.codehaus.mojo</groupId>

    
   
1361
            <artifactId>build-helper-maven-plugin</artifactId>

    
   
1362
            <executions>

    
   
1363
              <execution>

    
   
1364
                <id>add-source</id>

    
   
1365
                <goals>

    
   
1366
                  <goal>add-source</goal>

    
   
1367
                </goals>

    
   
1368
                <configuration>

    
   
1369
                  <sources>

    
   
1370
                    <source>${project.basedir}/security/src/main/java</source>

    
   
1371
                  </sources>

    
   
1372
                </configuration>

    
   
1373
              </execution>

    
   
1374
              <execution>

    
   
1375
                <id>add-test-source</id>

    
   
1376
                <goals>

    
   
1377
                  <goal>add-test-source</goal>

    
   
1378
                </goals>

    
   
1379
                <configuration>

    
   
1380
                  <sources>

    
   
1381
                    <source>${project.basedir}/security/src/test/java</source>

    
   
1382
                  </sources>

    
   
1383
                </configuration>

    
   
1384
              </execution>

    
   
1385
              <execution>

    
   
1386
                <id>add-test-resource</id>

    
   
1387
                <goals>

    
   
1388
                  <goal>add-test-resource</goal>

    
   
1389
                </goals>

    
   
1390
                <configuration>

    
   
1391
                  <resources>

    
   
1392
                    <resource>

    
   
1393
                      <directory>${project.basedir}/security/src/test/resources</directory>

    
   
1394
                      <includes>

    
   
1395
                        <include>hbase-site.xml</include>

    
   
1396
                      </includes>

    
   
1397
                    </resource>

    
   
1398
                  </resources>

    
   
1399
                </configuration>

    
   
1400
              </execution>

    
   
1401
            </executions>

    
   
1402
          </plugin>

    
   
1403
        </plugins>

    
   
1404
      </build>

    
   
1405
    </profile>

    
   
1406

   
1338
    <!--
1407
    <!--
1339
      profile for building against Hadoop 0.22.0. Activate using:
1408
      profile for building against Hadoop 0.22.0. Activate using:
1340
       mvn -Dhadoop.profile=22
1409
       mvn -Dhadoop.profile=22
1341
    -->
1410
    -->
1342
    <profile>
1411
    <profile>
[+20] [20] 426 lines
src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java
Revision 05abeb7 New Change
 
src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
Revision bb67e53 New Change
 
src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
Revision a75cf87 New Change
 
src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java
Revision f613ba9 New Change
 
src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
New File
 
  1. pom.xml: Loading...
  2. src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java: Loading...
  3. src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java: Loading...
  4. src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java: Loading...
  5. src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java: Loading...
  6. src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java: Loading...