This is an automated email from the ASF dual-hosted git repository.
zhaijia pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new 313cfa6 BOOKKEEPER-1017: Create documentation for ZooKeeper ACLs
313cfa6 is described below
commit 313cfa66018836e8d6372b06c29ec551fca91e34
Author: Enrico Olivelli <[email protected]>
AuthorDate: Wed Jul 26 17:06:52 2017 +0800
BOOKKEEPER-1017: Create documentation for ZooKeeper ACLs
This is the documentation for ZooKeeper security and there is an intro
about security in general.
It is work-in-progress, I created this PR in order to make it visible and
gather suggestions while writing
Author: Enrico Olivelli <[email protected]>
Reviewers: Jia Zhai <None>, Sijie Guo <None>
This closes #185 from eolivelli/BOOKKEEPER-1017-zookeeper-docs
---
bookkeeper-server/conf/bk_server.conf | 6 ++++
bookkeeper-server/conf/jaas_example.conf | 44 +++++++++++++++++++++++++++++
doc/bookkeeperSecurity.textile | 48 ++++++++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
diff --git a/bookkeeper-server/conf/bk_server.conf
b/bookkeeper-server/conf/bk_server.conf
index 6068ff3..e10aa3e 100644
--- a/bookkeeper-server/conf/bk_server.conf
+++ b/bookkeeper-server/conf/bk_server.conf
@@ -201,6 +201,12 @@ zkServers=localhost:2181
# JVM garbage collection, disk I/O will cause SESSION_EXPIRED.
# Increment this value could help avoiding this issue
zkTimeout=10000
+# Set ACLs on every node written on ZooKeeper, this way only allowed users
+# will be able to read and write BookKeeper metadata stored on ZooKeeper.
+# In order to make ACLs work you need to setup ZooKeeper JAAS authentication
+# all the Bookies and Client need to share the same user, and this is usually
+# done using Kerberos authentication. See ZooKeeper documentation
+zkEnableSecurity=false
## NIO Server settings
diff --git a/bookkeeper-server/conf/jaas_example.conf
b/bookkeeper-server/conf/jaas_example.conf
new file mode 100644
index 0000000..101b2d9
--- /dev/null
+++ b/bookkeeper-server/conf/jaas_example.conf
@@ -0,0 +1,44 @@
+/*
+* Copyright 2016 The Apache Software Foundation
+*
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements. See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership. The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License. You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+/*
+ Kerberos Example
+
+ Client {
+ com.sun.security.auth.module.Krb5LoginModule required debug=true
+ useKeyTab=true
+ keyTab="/path/to/keytabfile"
+ storeKey=true
+ useTicketCache=false
+ principal="bookkeeper/HOSTNAME@REALM";
+};
+*/
+
+/*
+ DIGEST-MD5 Example
+
+ Client {
+ org.apache.zookeeper.server.auth.DigestLoginModule required
+ user_hd="testpwd";
+};
+*/
+
+
+
diff --git a/doc/bookkeeperSecurity.textile b/doc/bookkeeperSecurity.textile
new file mode 100644
index 0000000..6969e6c
--- /dev/null
+++ b/doc/bookkeeperSecurity.textile
@@ -0,0 +1,48 @@
+Title: BookKeeper Security
+Notice: Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License. You
may
+ obtain a copy of the License at
"http://www.apache.org/licenses/LICENSE-2.0":http://www.apache.org/licenses/LICENSE-2.0.
+ .
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an "AS IS"
+ BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied. See the License for the specific language governing
permissions
+ and limitations under the License.
+ .
+ .
+
+h1. Security in BookKeeper
+
+Apache BookKeeper is a decentralized platform and there are multiple aspects
to deal with while securing an BookKeeper Cluster.
+
+Metadata are stored on ZooKeeper, so first of all you will need to secure your
ZooKeeper cluster, see "ZooKeeper
security":https://zookeeper.apache.org/security.html
+
+Then you have to take care of access to Bookies, you can configure
authentication and encryption using TLS, out of the box BookKeeper supports
Kerberos authentication, DIGEST-MD5 authentication and TLS encryption. You can
also leverage TLS client authentication in order to protect your data.
+
+h1. ZookKeeper security on BookKeeper
+
+Both clients and Bookies read and write metadata on ZooKeeper, it is also used
for Bookie discovery.
+The best way to protect data stored on ZooKeeper is to put ACLs on every
z-node, this way only authorized users will be able to access (read/write) data
+
+In order to configure BookKeeper and protect ZooKeeper just simply set
zkEnableSecurity=true configuration property on Bookie Configuration
(conf/bk_server.conf).
+On the client side you have to set zkEnableSecurity property to true or use
ClientConfiguration.setZkEnableSecurity(true).
+
+Beware that your Bookies and your clients MUST successfully authenticate to
ZooKeeper cluster.
+You MUST use the same ZooKeeper principal for every Bookie and every Client,
this is usually achived by using Kerberos.
+
+BookKeeper runtime will use ZooDefs.Ids.CREATOR_ALL_ACL ACLs for every new
node. You will get InvalidACL it ZooKeeper authentication is not configured.
+
+In order to make a Bookie authenticate to a secured ZooKeeper cluster you have
to:
+
+- create a jaas.conf file in your "conf" directory (you can just rename
conf/jaas_example.conf and change it according to your needs)
+
+- add -Djava.security.auth.login.config=absolute/path/to/jaas.conf to
BOOKIE_EXTRA_OPTS in conf/bkenv.sh
+
+On the client side you have to follow similar steps but it depends on your
application
+
+Currently there is no migration procedure for changing zkEnableSecurity
+
+if you are moving to zkEnableSecurity=true, new z-nodes will be 'secured' but
old z-nodes will be not covered by ACLs and you will need to set it manually
using ZooKeeper tools
+
+if you are moving to zkEnableSecurity=false you need to reset all ACLs under
the z-node set in zkLedgersRootPath, which defaults to '/ledgers'
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].