[
https://issues.apache.org/jira/browse/KNOX-1010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16221203#comment-16221203
]
Phil Zampino commented on KNOX-1010:
------------------------------------
[~lmccay] This patch relies on the SASL settings via JAAS configuration, which
consists of a file on disk, pointed to by a system property. The monitor
implementation is ignorant about any application of security configuration.
SASL supports at least digest and kerberos, but the configuration mechanism is
the same.
Obviously, Knox admins should ensure that some authentication is configured for
the ZooKeeper ensemble and the Knox VM. Without this security configuration,
there is no way for Knox to know whether or not the configuration in the znodes
can be trusted.
The attached patch includes RemoteConfigurationMonitorTest.java, which
demonstrates the application of SASL (backed by digest authentication) and
associated znode ACLs restricting access.
At a minimum, the znodes containing any Knox configuration should have ACLs
applied, such that only authenticated ZooKeeper clients can modify the
contents. It would be best if read access is also restricted to authenticated
clients, since some of the config includes security configuration and network
details.
It would be even better if the ACLs were defined such that only a specific
principal can read/write the contents of these specific znodes. Knox would
authenticate as this principal, and probably Ambari when it gains the ability
to manage this config in ZooKeeper.
One or more subsequent JIRA issues should be filed to deal with securing
ZooKeeper interactions more broadly than what is required for this issue (since
there are already other Knox functional areas that employ ZooKeeper clients).
> Remote Discovery of Knox Topology Configuration
> -----------------------------------------------
>
> Key: KNOX-1010
> URL: https://issues.apache.org/jira/browse/KNOX-1010
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Reporter: Phil Zampino
> Assignee: Phil Zampino
> Labels: kip-8
> Fix For: 0.14.0
>
> Attachments: KNOX-1010-001.patch, KNOX-1010.patch,
> docker-sandbox.json, sandbox-providers.xml, zkupload.sh
>
>
> To support HA deployments, Knox should be able to discover simple topology
> descriptors and provider configuration remotely.
> - Define the ZooKeeper structure for remote config (simple desc, externalized
> provider) discovery
> - Determine the best way to interact with ZooKeeper (REST, or some other
> client binding)
> - Simple descriptor discovery
> - External provider config discovery
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
