[jira] [Updated] (HADOOP-10868) Create a ZooKeeper-backed secret provider

Thu, 21 Aug 2014 11:15:53 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-10868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Kanter updated HADOOP-10868:
-----------------------------------

    Attachment: HADOOP-10868.patch
                HADOOP-10868_branch-2.patch

The patch adds the ZKSignerSecretProvider and also updates a bunch of 
documentation/javadoc.  It uses Curator to talk to ZooKeeper (this handles a 
lot of connection issues, etc for us).  The security-related code for using 
Kerberos and Kerberos-backed ACLs with ZooKeeper is largely copied from Oozie.  

Here’s an overview of how ZKSignerSecretProvider works:
- The previous, current, and next secrets, plus the next rollover date get 
stored in a znode
- On startup, it will try to read from this znode to use these secrets and 
synchronize it’s rollover
- The next secret get decided right after the secret gets rolled over so that 
rolling to it can be immediate without a network call to ZooKeeper
- The next secret gets decided like this:
-# All servers generate a new next secret
-# They then all try to write to the znode at roughly the same time
-# The znode has a version number, and only one of the servers will succeed 
(doesn’t matter which)
-# The servers then load the next secret from the znode so they all have the 
same one
- I did the coordination this way so that we wouldn’t need to do any leader 
elections and don’t need any sort of locking 
- There’s a bunch of configuration properties (mostly for Kerberos stuff)
-- A subclass of AuthenticationFilter can also provide ZKSignerSecretProvider 
with it’s own Curator client, preconfigured however they want.  For example, 
I’m planning on doing this with Oozie so (a) we can reuse the same Curator 
client that Oozie already manages and (b) the ZK kerberos configs don’t need to 
be set by the user twice.  

> Create a ZooKeeper-backed secret provider
> -----------------------------------------
>
>                 Key: HADOOP-10868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10868
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: HADOOP-10868.patch, HADOOP-10868_branch-2.patch
>
>
> Create a secret provider (see HADOOP-10791) that is backed by ZooKeeper and 
> can synchronize amongst different servers.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to