[
https://issues.apache.org/jira/browse/BOOKKEEPER-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13681909#comment-13681909
]
Rakesh R commented on BOOKKEEPER-390:
-------------------------------------
Hi Ivan,
I'm just trying to figure out the resources which bk is using and should be
protected from unauthorized access.
# BKClient access to BkServer
# BKClient/BKServer access to the ledgermanager, replicationManager.
# BKClient/BkServer access to the zk znodes data - cookies, bkregistration,
auditorvote.
Since these two have different mode of accessing the resources, I'm thinking to
handle it separately. Instead of having one common client/server AuthProvider
interface. IMO we can split ClientAuthProvider as two, one for cnxn which will
have the same implementation as you suggested and other one will have metadata
authentication.
Please have a look at the following interfaces, does it sound good?
ClientCnxnAuthProvider
BookieCnxnAuthProvider
ClientMetadataAuthProvider
BookieMetadataAuthProvider
Also, I have noticed one more thing and adding to this JIRA to get the
concerns, presently the cookies, bkreg, auditorvote are zk specific and can we
think of introducing more generic interface 'BookieRegistrationManager' to
manage these, shall I raise a JIRA for this and work on it?.
-Rakesh
> Provide support for ZooKeeper authentication
> --------------------------------------------
>
> Key: BOOKKEEPER-390
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-390
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Affects Versions: 4.0.0
> Reporter: Rakesh R
> Assignee: Rakesh R
> Fix For: 4.3.0
>
> Attachments: BOOKKEEPER-390-Acl-draftversion.patch,
> BOOKKEEPER-390-Authentication-interfaces-draftversion.patch
>
>
> This JIRA adds support for protecting the state of Bookkeeper znodes on a
> multi-tenant ZooKeeper cluster.
> Use case: When user tries to run a ZK cluster in multitenant mode, where
> more than one client service would like to share a single ZK service instance
> (cluster). In this case the client services typically want to protect their
> data (ZK znodes) from access by other services (tenants) on the cluster. Say
> you are running BK, HBase or ZKFC instances, etc... having
> authentication/authorization on the znodes is important for both security and
> helping to ensure that services don't interact negatively (touch each other's
> data).
> Presently Bookkeeper does not have support for authentication or
> authorization while accessing to ZK. This should be added to the BK
> clients/server that are accessing the ZK cluster. In general it means calling
> addAuthInfo once after a session is established
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
