[
https://issues.apache.org/jira/browse/BOOKKEEPER-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686562#comment-13686562
]
Ivan Kelly commented on BOOKKEEPER-390:
---------------------------------------
[~rakeshr] Firstly, I think even if we do ACL control, we should do
authentication support first. ACL will always depend on auth, and it's much
easier to take these thing one step at a time. Secondly, I think we need a
design document for this. My head is starting to hurt thinking of all the
aspects of auth, so it would be really good to have a central document
explaining how the different workflows will work with auth, and how these
protect the cluster from malicious interference.
[~hustlmsp] I like the auth ledger manager idea. I don't quite understand the
middleware thing though. Does the #isAuth() check if the particular request
(such as a write to ledger metadata) is authorized? If not should it do the
authorization? I think it may be better to have auth as a first class citizen
in the ledger manager, as it's actually the client that the ledger manager uses
that does the authentication.
> Provide support for ZooKeeper authentication
> --------------------------------------------
>
> Key: BOOKKEEPER-390
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-390
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Affects Versions: 4.0.0
> Reporter: Rakesh R
> Assignee: Rakesh R
> Fix For: 4.3.0
>
> Attachments: BOOKKEEPER-390-Acl-draftversion.patch,
> BOOKKEEPER-390-Authentication-interfaces-draftversion.patch
>
>
> This JIRA adds support for protecting the state of Bookkeeper znodes on a
> multi-tenant ZooKeeper cluster.
> Use case: When user tries to run a ZK cluster in multitenant mode, where
> more than one client service would like to share a single ZK service instance
> (cluster). In this case the client services typically want to protect their
> data (ZK znodes) from access by other services (tenants) on the cluster. Say
> you are running BK, HBase or ZKFC instances, etc... having
> authentication/authorization on the znodes is important for both security and
> helping to ensure that services don't interact negatively (touch each other's
> data).
> Presently Bookkeeper does not have support for authentication or
> authorization while accessing to ZK. This should be added to the BK
> clients/server that are accessing the ZK cluster. In general it means calling
> addAuthInfo once after a session is established
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
