Review Board 1.7.22


Add support for SASL authentication of embedded HBase ZooKeeper clients and protected znodes

Review Request #2837 - Created Nov. 15, 2011 and submitted

Andrew Purtell
0.92, trunk
HBASE-2418
Reviewers
hbase
ekoontz, ghelmling
hbase-git
These changes add support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0, currently at RC2. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control).

SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example:

  Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/hbase/conf/hbase.keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/$HOSTNAME";
  };
  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="/etc/hbase/conf/hbase.keytab"
    principal="hbase/$HOSTNAME";
  };

and then configure both the client and server processes to use it, for example in hbase-site.xml:

  HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"

HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers.

There is extraneous whitespace in code surrounding these changes.
These changes are running in production at Trend Micro, using a snapshot build of ZooKeeper 3.4.0.

New unit test TestZooKeeperACL passes 100 iterations. All test pass not otherwise currently failing on trunk.

Changes between revision 3 and 4

1 2 3 4 5
1 2 3 4 5

  1. pom.xml: Loading...
  2. src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java: Loading...
  3. src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java: Loading...
pom.xml
Diff Revision 3 Diff Revision 4
[20] 381 lines
[+20]
382
        <includes>
382
        <includes>
383
          <include>hbase-webapps/**</include>
383
          <include>hbase-webapps/**</include>
384
        </includes>
384
        </includes>
385
      </resource>
385
      </resource>
386
    </resources>
386
    </resources>

    
   
387
    <testResources>

    
   
388
      <testResource>

    
   
389
        <directory>src/test/resources</directory>

    
   
390
        <excludes>

    
   
391
          <exclude>hbase-site.xml</exclude>

    
   
392
        </excludes>

    
   
393
      </testResource>

    
   
394
    </testResources>
387

    
   
395

   
388
    <plugins>
396
    <plugins>
389
      <plugin>
397
      <plugin>
390
        <groupId>org.apache.avro</groupId>
398
        <groupId>org.apache.avro</groupId>
391
        <artifactId>avro-maven-plugin</artifactId>
399
        <artifactId>avro-maven-plugin</artifactId>
[+20] [20] 278 lines
[+20]
670
            <phase>package</phase>
678
            <phase>package</phase>
671
            <configuration>
679
            <configuration>
672
              <target>
680
              <target>
673
                <!-- Complements the assembly -->
681
                <!-- Complements the assembly -->
674

    
   
682

   
675
                <mkdir dir="${project.build.directory}/${project.artifactId}-${project.version}/${project.artifactId}-${project.version}/lib/native/${build.platform}"/>
683
                <mkdir dir="${project.build.directory}/${project.build.finalName}/${project.build.finalName}/lib/native/${build.platform}"/>
676

    
   
684

   
677
                <!-- Using Unix cp to preserve symlinks, using script to handle wildcards -->
685
                <!-- Using Unix cp to preserve symlinks, using script to handle wildcards -->
678
                <echo file="${project.build.directory}/copynativelibs.sh">
686
                <echo file="${project.build.directory}/copynativelibs.sh">
679
                    if [ `ls ${project.build.directory}/nativelib | wc -l` -ne 0 ]; then
687
                    if [ `ls ${project.build.directory}/nativelib | wc -l` -ne 0 ]; then
680
                      cp -PR ${project.build.directory}/nativelib/lib* ${project.build.directory}/${project.artifactId}-${project.version}/${project.artifactId}-${project.version}/lib/native/${build.platform}
688
                      cp -PR ${project.build.directory}/nativelib/lib* ${project.build.directory}/${project.build.finalName}/${project.build.finalName}/lib/native/${build.platform}
681
                    fi
689
                    fi
682
                </echo>
690
                </echo>
683
                <exec executable="sh" dir="${project.build.directory}" failonerror="true">
691
                <exec executable="sh" dir="${project.build.directory}" failonerror="true">
684
                    <arg line="./copynativelibs.sh"/>
692
                    <arg line="./copynativelibs.sh"/>
685
                </exec>
693
                </exec>
686

    
   
694

   
687
                <!-- Using Unix tar to preserve symlinks -->
695
                <!-- Using Unix tar to preserve symlinks -->
688
                <exec executable="tar" failonerror="yes"
696
                <exec executable="tar" failonerror="yes"
689
                  dir="${project.build.directory}/${project.artifactId}-${project.version}">
697
                  dir="${project.build.directory}/${project.build.finalName}">
690
                    <arg value="czf"/>
698
                    <arg value="czf"/>
691
                    <arg value="${project.build.directory}/${project.artifactId}-${project.version}.tar.gz"/>
699
                    <arg value="${project.build.directory}/${project.build.finalName}.tar.gz"/>
692
                    <arg value="."/>
700
                    <arg value="."/>
693
                </exec>
701
                </exec>
694

    
   
702

   
695
              </target>
703
              </target>
696
            </configuration>
704
            </configuration>
[+20] [20] 92 lines
[+20]
789
    <mockito-all.version>1.8.5</mockito-all.version>
797
    <mockito-all.version>1.8.5</mockito-all.version>
790
    <protobuf.version>2.4.0a</protobuf.version>
798
    <protobuf.version>2.4.0a</protobuf.version>
791
    <slf4j.version>1.5.8</slf4j.version><!-- newer version available -->
799
    <slf4j.version>1.5.8</slf4j.version><!-- newer version available -->
792
    <stax-api.version>1.0.1</stax-api.version>
800
    <stax-api.version>1.0.1</stax-api.version>
793
    <thrift.version>0.7.0</thrift.version>
801
    <thrift.version>0.7.0</thrift.version>
794
    <zookeeper.version>3.3.3</zookeeper.version>
802
    <zookeeper.version>3.4.0-SNAPSHOT</zookeeper.version>
795
    <hadoop-snappy.version>0.0.1-SNAPSHOT</hadoop-snappy.version>
803
    <hadoop-snappy.version>0.0.1-SNAPSHOT</hadoop-snappy.version>
796

    
   
804

   
797
    <package.prefix>/usr</package.prefix>	           
805
    <package.prefix>/usr</package.prefix>	           
798
    <package.conf.dir>/etc/hbase</package.conf.dir>  
806
    <package.conf.dir>/etc/hbase</package.conf.dir>  
799
    <package.log.dir>/var/log/hbase</package.log.dir>
807
    <package.log.dir>/var/log/hbase</package.log.dir>
[+20] [20] 502 lines
[+20]
1302
          <artifactId>hadoop-test</artifactId>
1310
          <artifactId>hadoop-test</artifactId>
1303
          <version>${hadoop.version}</version>
1311
          <version>${hadoop.version}</version>
1304
          <scope>test</scope>
1312
          <scope>test</scope>
1305
        </dependency>
1313
        </dependency>
1306
      </dependencies>
1314
      </dependencies>

    
   
1315
      <build>

    
   
1316
        <plugins>

    
   
1317
          <plugin>

    
   
1318
            <groupId>org.codehaus.mojo</groupId>

    
   
1319
            <artifactId>build-helper-maven-plugin</artifactId>

    
   
1320
            <executions>

    
   
1321
              <execution>

    
   
1322
                <id>add-test-resource</id>

    
   
1323
                <goals>

    
   
1324
                  <goal>add-test-resource</goal>

    
   
1325
                </goals>

    
   
1326
                <configuration>

    
   
1327
                  <resources>

    
   
1328
                    <resource>

    
   
1329
                      <directory>src/test/resources</directory>

    
   
1330
                      <includes>

    
   
1331
                        <include>hbase-site.xml</include>

    
   
1332
                      </includes>

    
   
1333
                    </resource>

    
   
1334
                  </resources>

    
   
1335
                </configuration>

    
   
1336
              </execution>

    
   
1337
            </executions>

    
   
1338
          </plugin>

    
   
1339
        </plugins>

    
   
1340
      </build>
1307
    </profile>
1341
    </profile>
1308
    
1342
    
1309
    
1343
    
1310
    <!-- profile for running test without parallelisation.
1344
    <!-- profile for running test without parallelisation.
1311
         The same values are set in the properties of the project.  -->
1345
         The same values are set in the properties of the project.  -->
[+20] [20] 38 lines
[+20]
1350
    <!-- profile for building against Hadoop 0.20+security-->
1384
    <!-- profile for building against Hadoop 0.20+security-->
1351
    <profile>
1385
    <profile>
1352
      <id>security</id>
1386
      <id>security</id>
1353
      <properties>
1387
      <properties>
1354
        <hadoop.version>0.20.205.1-7070-SNAPSHOT</hadoop.version>
1388
        <hadoop.version>0.20.205.1-7070-SNAPSHOT</hadoop.version>
1355
        <zookeeper.version>3.4.0-SNAPSHOT</zookeeper.version>

   
1356
      </properties>
1389
      </properties>
1357
      <build>
1390
      <build>
1358
        <finalName>${artifactId}-${version}-security</finalName>
1391
        <finalName>${artifactId}-${version}-security</finalName>
1359
        <plugins>
1392
        <plugins>
1360
          <plugin>
1393
          <plugin>
[+20] [20] 42 lines
[+20]
1403
          </plugin>
1436
          </plugin>
1404
        </plugins>
1437
        </plugins>
1405
      </build>
1438
      </build>
1406
    </profile>
1439
    </profile>
1407

    
   
1440

   

    
   
1441

   
1408
    <!--
1442
    <!--
1409
      profile for building against Hadoop 0.22.0. Activate using:
1443
      profile for building against Hadoop 0.22.0. Activate using:
1410
       mvn -Dhadoop.profile=22
1444
       mvn -Dhadoop.profile=22
1411
    -->
1445
    -->
1412
    <profile>
1446
    <profile>
[+20] [20] 134 lines
[+20]
1547
          <artifactId>hadoop-mapred-test</artifactId>
1581
          <artifactId>hadoop-mapred-test</artifactId>
1548
          <version>${hadoop.version}</version>
1582
          <version>${hadoop.version}</version>
1549
          <scope>test</scope>
1583
          <scope>test</scope>
1550
        </dependency>
1584
        </dependency>
1551
      </dependencies>
1585
      </dependencies>

    
   
1586
      <build>

    
   
1587
        <plugins>

    
   
1588
          <plugin>

    
   
1589
            <groupId>org.codehaus.mojo</groupId>

    
   
1590
            <artifactId>build-helper-maven-plugin</artifactId>

    
   
1591
            <executions>

    
   
1592
              <execution>

    
   
1593
                <id>add-test-resource</id>

    
   
1594
                <goals>

    
   
1595
                  <goal>add-test-resource</goal>

    
   
1596
                </goals>

    
   
1597
                <configuration>

    
   
1598
                  <resources>

    
   
1599
                    <resource>

    
   
1600
                      <directory>src/test/resources</directory>

    
   
1601
                      <includes>

    
   
1602
                        <include>hbase-site.xml</include>

    
   
1603
                      </includes>

    
   
1604
                    </resource>

    
   
1605
                  </resources>

    
   
1606
                </configuration>

    
   
1607
              </execution>

    
   
1608
            </executions>

    
   
1609
          </plugin>

    
   
1610
        </plugins>

    
   
1611
      </build>
1552
    </profile>
1612
    </profile>
1553

    
   
1613

   
1554
    <!--
1614
    <!--
1555
      profile for building against Hadoop 0.23.0. Activate using:
1615
      profile for building against Hadoop 0.23.0. Activate using:
1556
       mvn -Dhadoop.profile=23
1616
       mvn -Dhadoop.profile=23
[+20] [20] 146 lines
[+20]
1703
          <artifactId>hadoop-mapred-test</artifactId>
1763
          <artifactId>hadoop-mapred-test</artifactId>
1704
          <version>${hadoop.version}</version>
1764
          <version>${hadoop.version}</version>
1705
          <scope>test</scope>
1765
          <scope>test</scope>
1706
        </dependency>
1766
        </dependency>
1707
      </dependencies>
1767
      </dependencies>

    
   
1768
      <build>

    
   
1769
        <plugins>

    
   
1770
          <plugin>

    
   
1771
            <groupId>org.codehaus.mojo</groupId>

    
   
1772
            <artifactId>build-helper-maven-plugin</artifactId>

    
   
1773
            <executions>

    
   
1774
              <execution>

    
   
1775
                <id>add-test-resource</id>

    
   
1776
                <goals>

    
   
1777
                  <goal>add-test-resource</goal>

    
   
1778
                </goals>

    
   
1779
                <configuration>

    
   
1780
                  <resources>

    
   
1781
                    <resource>

    
   
1782
                      <directory>src/test/resources</directory>

    
   
1783
                      <includes>

    
   
1784
                        <include>hbase-site.xml</include>

    
   
1785
                      </includes>

    
   
1786
                    </resource>

    
   
1787
                  </resources>

    
   
1788
                </configuration>

    
   
1789
              </execution>

    
   
1790
            </executions>

    
   
1791
          </plugin>

    
   
1792
        </plugins>

    
   
1793
      </build>
1708
    </profile>
1794
    </profile>
1709
  </profiles>
1795
  </profiles>
1710
 
1796
 
1711
  <!-- See http://jira.codehaus.org/browse/MSITE-443 why the settings need to be here and not in pluginManagement. -->
1797
  <!-- See http://jira.codehaus.org/browse/MSITE-443 why the settings need to be here and not in pluginManagement. -->
1712
  <reporting>
1798
  <reporting>
[+20] [20] 126 lines
src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java
Diff Revision 3 Diff Revision 4
 
src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
Diff Revision 3 Diff Revision 4
 
  1. pom.xml: Loading...
  2. src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java: Loading...
  3. src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java: Loading...