[
https://issues.apache.org/jira/browse/BOOKKEEPER-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13484327#comment-13484327
]
Rakesh R commented on BOOKKEEPER-390:
-------------------------------------
Thanks Flavio for taking a look and comments.
{quote}
1.When creating a bookkeeper object, we have the option of passing a zookeeper
object. What if we require that, in the case of zookeeper authentication
enabled, the application creates a zookeeper object before using bookkeeper?
{quote}
Yeah its true, in case of bkclient we can suggest application to ensure and
pass an authenticated zkclient.
Also it would be good to use an authenticated zkclient used inside bookie
server, the operations through this also to be in secure mode. Consider an
example of an anonymous bkserver, it can just start and allows to publish
IP:PORT in the zk available znode could create security vulnerability.
{quote}
2.We are moving towards having a MetaStore interface (BOOKKEEPER-204) so that
we can use different backends to store metadata. Should we be looking into
implementing a more general approach that fits into the MetaStore interface and
enables authentication for anything that supports SASL?
{quote}
Thanks for pointing me, I'll go through BOOKKEEPER-204 interface.
> Provide support for ZooKeeper authentication
> --------------------------------------------
>
> Key: BOOKKEEPER-390
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-390
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Affects Versions: 4.0.0
> Reporter: Rakesh R
> Assignee: Rakesh R
> Attachments: BOOKKEEPER-390-Acl-draftversion.patch
>
>
> This JIRA adds support for protecting the state of Bookkeeper znodes on a
> multi-tenant ZooKeeper cluster.
> Use case: When user tries to run a ZK cluster in multitenant mode, where
> more than one client service would like to share a single ZK service instance
> (cluster). In this case the client services typically want to protect their
> data (ZK znodes) from access by other services (tenants) on the cluster. Say
> you are running BK, HBase or ZKFC instances, etc... having
> authentication/authorization on the znodes is important for both security and
> helping to ensure that services don't interact negatively (touch each other's
> data).
> Presently Bookkeeper does not have support for authentication or
> authorization while accessing to ZK. This should be added to the BK
> clients/server that are accessing the ZK cluster. In general it means calling
> addAuthInfo once after a session is established
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
