[
https://issues.apache.org/jira/browse/RANGER-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944343#comment-16944343
]
Andor Molnar commented on RANGER-924:
-------------------------------------
[~bosco]
h3. AuthZ
ZooKeeper ACLs are tightly coupled to its internal data structure. All znodes
in the data tree have an ACL part which could be manipulated by ZooKeeper
commands if user has the required permission. I see the following options here:
# Leaving ZooKeeper ACLs intact and teach Ranger how to change ZK ACLs to keep
them in sync with its internal representation of authorization rules. This
options doesn't need any change in ZooKeeper, but possibly has a disadvantage:
if somebody changes ACLs with direct ZooKeeper commands, Ranger database will
go out of sync which could cause maintenance problems and needs manual
intervention to fix.
# Replace ZooKeeper's {{checkAcl}} method to call Ranger's implementation. In
this case effective ACLs can only be changed in Ranger, but ZooKeeper commands
are still present, however they become no-ops. Small ZooKeeper change, not sure
about the amount of work need on Ranger side.
# Wire-up everything: all ZK ACL-related commands will effectively call
Ranger's logic. ACLs will be stored in Ranger database and can be manipulated
via both Ranger and Zookeeper API.
In terms of performance implications I think calling Ranger might be less
performant than internal ZooKeeper data, but changing ACLs will not need
consensus in the quorum, so probably faster. Ranger's implementation might also
be more sophisticated than current ZK ACLs.
h3. Audit
I think this is pretty straightforward: the implementation of ZK Audit Logs is
not finalized yet and should be implemented in a plug-in fashion. Ranger will
be easily hooked up and use instead of the default.
h3.
> Support Authorization and Auditing for Zookeeper
> ------------------------------------------------
>
> Key: RANGER-924
> URL: https://issues.apache.org/jira/browse/RANGER-924
> Project: Ranger
> Issue Type: Improvement
> Reporter: Bosco
> Priority: Major
>
> Most of the Hadoop components are storing their states in Zookeeper. And some
> products (Kafka and Solr) are even storing security policies in Zookeeper.
> Since there are no human interaction with Zookeeper, very often, setting up
> access controls to Zookeeper are ignored. However, it is very critical to
> ensure that proper authorization controls are setup for Zookeeper and all
> access are audited.
> If would be good if some familiar with Zookeeper can work on a Ranger plugin
> for Zookeeper. Or help the Ranger team to come with the integration design.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
