Review Board 1.7.22


Add support for SASL authentication of embedded HBase ZooKeeper clients and protected znodes

Review Request #2837 - Created Nov. 15, 2011 and submitted

Andrew Purtell
0.92, trunk
HBASE-2418
Reviewers
hbase
ekoontz, ghelmling
hbase-git
These changes add support for protecting the state of HBase znodes on a multi-tenant ZooKeeper cluster. This support requires ZK 3.4.0, currently at RC2. It is a companion patch to HBASE-2742 (secure RPC), and HBASE-3025 (Coprocessor based access control).

SASL authentication of ZooKeeper clients with the quorum is handled in the ZK client independently of HBase concerns. To enable strong ZK authentication, one must create a suitable JaaS configuration, for example:

  Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/hbase/conf/hbase.keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/$HOSTNAME";
  };
  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="/etc/hbase/conf/hbase.keytab"
    principal="hbase/$HOSTNAME";
  };

and then configure both the client and server processes to use it, for example in hbase-site.xml:

  HBASE_OPTS="${HBASE_OPTS} -Djava.security.auth.login.config=/etc/hbase/conf/jaas.conf"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
  HBASE_OPTS="${HBASE_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"

HBase will then secure all znodes but for a few world-readable read-only ones needed for clients to look up region locations. All internal cluster operations will be protected from unauthenticated ZK clients, or clients not authenticated to the HBase principal. Presumably the only ZK clients authenticated to the HBase principal will be those embedded in the master and regionservers.

There is extraneous whitespace in code surrounding these changes.
These changes are running in production at Trend Micro, using a snapshot build of ZooKeeper 3.4.0.

New unit test TestZooKeeperACL passes 100 iterations. All test pass not otherwise currently failing on trunk.
pom.xml
Revision 382c7c2 New Change
[20] 241 lines
[+20]
242
      <url>http://repository.jboss.org/nexus/content/groups/public-jboss/</url>
242
      <url>http://repository.jboss.org/nexus/content/groups/public-jboss/</url>
243
      <snapshots>
243
      <snapshots>
244
        <enabled>false</enabled>
244
        <enabled>false</enabled>
245
      </snapshots>
245
      </snapshots>
246
    </repository>
246
    </repository>
247

    
   
247
    <!-- snapshot builds of Hadoop and ZooKeeper for testing -->

    
   
248
    <repository>

    
   
249
      <id>ghelmling.testing</id>

    
   
250
      <name>Gary Helmling test repo</name>

    
   
251
      <url>http://people.apache.org/~garyh/mvn/</url>

    
   
252
      <snapshots>

    
   
253
        <enabled>true</enabled>

    
   
254
      </snapshots>

    
   
255
      <releases>

    
   
256
        <enabled>true</enabled>

    
   
257
      </releases>

    
   
258
    </repository>
248
  </repositories>
259
  </repositories>
249

    
   
260

   
250
  <build>
261
  <build>
251
    <!-- Some plugins (javadoc for example) can be used in the normal build- and the site phase.
262
    <!-- Some plugins (javadoc for example) can be used in the normal build- and the site phase.
252
         These plugins inherit their options from the <reporting> section below. These settings
263
         These plugins inherit their options from the <reporting> section below. These settings
[+20] [20] 533 lines
[+20]
786
    <mockito-all.version>1.8.5</mockito-all.version>
797
    <mockito-all.version>1.8.5</mockito-all.version>
787
    <protobuf.version>2.4.0a</protobuf.version>
798
    <protobuf.version>2.4.0a</protobuf.version>
788
    <slf4j.version>1.5.8</slf4j.version><!-- newer version available -->
799
    <slf4j.version>1.5.8</slf4j.version><!-- newer version available -->
789
    <stax-api.version>1.0.1</stax-api.version>
800
    <stax-api.version>1.0.1</stax-api.version>
790
    <thrift.version>0.7.0</thrift.version>
801
    <thrift.version>0.7.0</thrift.version>
791
    <zookeeper.version>3.3.3</zookeeper.version>
802
    <zookeeper.version>3.4.0-SNAPSHOT</zookeeper.version>
792
    <hadoop-snappy.version>0.0.1-SNAPSHOT</hadoop-snappy.version>
803
    <hadoop-snappy.version>0.0.1-SNAPSHOT</hadoop-snappy.version>
793

    
   
804

   
794
    <package.prefix>/usr</package.prefix>	           
805
    <package.prefix>/usr</package.prefix>	           
795
    <package.conf.dir>/etc/hbase</package.conf.dir>  
806
    <package.conf.dir>/etc/hbase</package.conf.dir>  
796
    <package.log.dir>/var/log/hbase</package.log.dir>
807
    <package.log.dir>/var/log/hbase</package.log.dir>
[+20] [20] 574 lines
[+20]
1371
    </profile>     
1382
    </profile>     
1372

    
   
1383

   
1373
    <!-- profile for building against Hadoop 0.20+security-->
1384
    <!-- profile for building against Hadoop 0.20+security-->
1374
    <profile>
1385
    <profile>
1375
      <id>security</id>
1386
      <id>security</id>

    
   
1387
      <properties>

    
   
1388
        <hadoop.version>0.20.205.1-7070-SNAPSHOT</hadoop.version>

    
   
1389
      </properties>
1376
      <build>
1390
      <build>
1377
        <finalName>${artifactId}-${version}-security</finalName>
1391
        <finalName>${artifactId}-${version}-security</finalName>
1378
        <plugins>
1392
        <plugins>
1379
          <plugin>
1393
          <plugin>
1380
            <groupId>org.codehaus.mojo</groupId>
1394
            <groupId>org.codehaus.mojo</groupId>
[+20] [20] 530 lines
src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java
Revision 05abeb7 New Change
 
src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
Revision 74b9e62 New Change
 
src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
Revision a75cf87 New Change
 
src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java
Revision f613ba9 New Change
 
src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
New File
 
  1. pom.xml: Loading...
  2. src/main/java/org/apache/hadoop/hbase/zookeeper/MiniZooKeeperCluster.java: Loading...
  3. src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java: Loading...
  4. src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java: Loading...
  5. src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java: Loading...
  6. src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java: Loading...