[
https://issues.apache.org/jira/browse/BOOKKEEPER-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686281#comment-13686281
]
Sijie Guo commented on BOOKKEEPER-390:
--------------------------------------
since we already had ledger metadata interfaces, isn't it possible to provide a
auth ledger manager rather than changing this core of bookkeeper? the benefits
of this way are that you could guarantee both clients and bookie server use
same metadata manager to access the metadata.
for the request authentication, I think we should provide request lifecycle
management hooks (e.g. wsgi request lifecycle through middleware interface,
hbase region lifecycle management through coprocessor). so the authentication
could be one of the hooks.
the hooks could be a simple interface, let's say Middleware (this is just an
example, without thinking deeply).
{code}
interface Middleware<Req, Resp> {
Resp preProcess(Req request, BookieContext context);
}
{code}
{code}
class AuthMiddleware implements Middleware<BookieRequest, BookieRequest> {
BookieRequest preProcess(BookieRequest request, BookieContext context) {
// validate the authentication.
if (isAuth(request)) {
return request;
} else {
return null;
}
}
}
{code}
and the middlewares are loaded by configuration and stacked to process the
requests. so application could decide what kind of middleware to load and they
could implement their own middlewares to do whatever they want without changing
the core of bookies.
> Provide support for ZooKeeper authentication
> --------------------------------------------
>
> Key: BOOKKEEPER-390
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-390
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Affects Versions: 4.0.0
> Reporter: Rakesh R
> Assignee: Rakesh R
> Fix For: 4.3.0
>
> Attachments: BOOKKEEPER-390-Acl-draftversion.patch,
> BOOKKEEPER-390-Authentication-interfaces-draftversion.patch
>
>
> This JIRA adds support for protecting the state of Bookkeeper znodes on a
> multi-tenant ZooKeeper cluster.
> Use case: When user tries to run a ZK cluster in multitenant mode, where
> more than one client service would like to share a single ZK service instance
> (cluster). In this case the client services typically want to protect their
> data (ZK znodes) from access by other services (tenants) on the cluster. Say
> you are running BK, HBase or ZKFC instances, etc... having
> authentication/authorization on the znodes is important for both security and
> helping to ensure that services don't interact negatively (touch each other's
> data).
> Presently Bookkeeper does not have support for authentication or
> authorization while accessing to ZK. This should be added to the BK
> clients/server that are accessing the ZK cluster. In general it means calling
> addAuthInfo once after a session is established
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
