I was planning on working ACCUMULO-135 for 1.5. I suppose in the process of doing this that I could also generalize the authentication mechanism.
On Thu, Jan 5, 2012 at 1:19 PM, John W Vines <john.w.vi...@ugov.gov> wrote: > We've been mumbling about making the authentication system more pluggable. > Right now one of the standing issues is that we have the credentials need to > perform actions a bit tightly woven with the ZKAuthenticator. These need to > be segregated better before more progress can be made allow more > authenticators. > > John > > ----- Original Message ----- > | From: "Eric Newton" <eric.new...@gmail.com> > | To: accumulo-dev@incubator.apache.org > | Sent: Thursday, January 5, 2012 9:27:18 AM > | Subject: Re: zookeeper ACL issues > | The contents of the user node is the 8-byte salt and salted SHA-256 of > | the > | user's password. I don't believe there's any encoding: it's just raw > | bytes. > | > | We have not done anything to extend the authentication system, yet. > | Hopefully we'll be able to leverage the tools now being released for > | the > | rest of the Hadoop infrastructure. > | > | -Eric > | > | > | On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <klu...@psualum.com> wrote: > | > | > That worked for the CLI. What is the data in there? base64 encoding > | > of the > | > password? > | > > | > Have you heard of anyone trying to implement an OAuth style > | > authentication > | > for the Authenticator? I was thinking I would have to put in a whole > | > layer > | > that talked to ZK directly for authentication, but perhaps not. > | > > | > thanks for help. > | > > | > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <eric.new...@gmail.com> > | > wrote: > | > > | > > In fact, that's why there is an abstraction for the Authenticator, > | > > hopefully you can replace it with one of your own. > | > > > | > > However, here's the trick for reading the data > | > > > | > > zkCli > addauth digest accumulo:DEFAULT > | > > > | > > If you have changed the value of "instance.secret" in > | > > accumulo-site.xml, > | > > you need to use that value in order to read what is in the node. > | > > > | > > The data there is binary, so you'll need to write some java code > | > > to > | > decode > | > > it... if your process can read accumulo-site.xml, you can use > | > > ZooReaderWriter to pull the data out: it will always set the > | > > additional > | > > auth flags to be able to read those nodes. > | > > > | > > Let me know if this doesn't make sense, and I can provide more > | > > details. > | > > > | > > -Eric > | > > > | > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <klu...@psualum.com> > | > > wrote: > | > > > | > > > Hey, > | > > > > | > > > I've been poking at security features of Accumulo, specifically > | > > > the > | > > > user/password stuff in Zookeeper. I was wondering if it would be > | > possible > | > > > to abstract away the zookeeper ACL authentication, so we could > | > > > deploy > | > > with > | > > > our own instead of using the "digest" ACL stuff in zookeeper. I > | > > > looked > | > at > | > > > doing this but got lost a bit in the innards of how Accumulo > | > > authenticates > | > > > the znodes. Can anyone provide me some guidance? Specifically, > | > > > it > | > would > | > > be > | > > > useful to know what to do to be able to do an ls of the > | > > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh > | > > > > | > > > Thanks, > | > > > Jim > | > > > > | > > > | >
