[jira] [Commented] (RANGER-924) Support Authorization and Auditing for Zookeeper

Wed, 02 Oct 2019 06:33:50 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942814#comment-16942814
 ] 

Andor Molnar commented on RANGER-924:
-------------------------------------

Hi [~bosco]

This is a very impressive initiative and would a great contribution for both 
Ranger and ZooKeeper. Perhaps I could be some help for you, as I have some 
experience with ZooKeeper already and happy to learn about Ranger.

How would you imagine the integration?

*AuthN* in ZooKeeper is essentially based on SASL and Kerberos. There're some 
other less secure options present, but most production clusters are running on 
Kerberos. One small thing is missing here: ZooKeeper cannot enforce 
authentication, it needs to be implemented.

[https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication]

*AuthZ* is based on ZooKeeper ACLs.  

[https://zookeeper.apache.org/doc/r3.5.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl]

One major caveat with ZooKeeper ACLs is that they're not recursive and I 
believe this is the place where Ranger integration could be a huge improvement. 
Ranger would be able to change ACLs on all affected nodes whenever something is 
changed in the access model.

*Audit*

Currently there's no specific audit logging implemented in ZooKeeper. This 
could be another aspect to jump in and improve ZooKeeper, but I'm not sure 
about the details. There's an open Jira for this: 
https://issues.apache.org/jira/browse/ZOOKEEPER-1260 that we might want to pick 
up and continue from that.

> Support Authorization and Auditing for Zookeeper
> ------------------------------------------------
>
>                 Key: RANGER-924
>                 URL: https://issues.apache.org/jira/browse/RANGER-924
>             Project: Ranger
>          Issue Type: Improvement
>            Reporter: Bosco
>            Priority: Major
>
> Most of the Hadoop components are storing their states in Zookeeper. And some 
> products (Kafka and Solr) are even storing security policies in Zookeeper.
> Since there are no human interaction with Zookeeper, very often, setting up 
> access controls to Zookeeper are ignored. However, it is very critical to 
> ensure that proper authorization controls are setup for Zookeeper and all 
> access are audited.
> If would be good if some familiar with Zookeeper can work on a Ranger plugin 
> for Zookeeper. Or help the Ranger team to come with the integration design.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to