[jira] [Commented] (ZOOKEEPER-938) Support Kerberos authentication of clients.

Sat, 06 Aug 2011 23:20:11 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080545#comment-13080545
 ] 

Benjamin Reed commented on ZOOKEEPER-938:
-----------------------------------------

sorry for being off the grid. last week was not good.

great job eugene. overall it looks good. two minor cleanup things: 1) since we 
aren't pushing sasl through the pipeline, we should remove it from the Request 
class. 2) in the code you added to ZooKeeperServer can you move that big piece 
of code in the if clause to a function called processSasl() or something like 
that?

KerberosName and Shell use sun.* classes, which cause warnings on the build and 
may cause problems on non-sun jvms. is there any workarounds? or are those 
classes exposed through java.* or javax.* classes? we either need to fix or 
document.

> Support Kerberos authentication of clients.
> -------------------------------------------
>
>                 Key: ZOOKEEPER-938
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-938
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: java client, server
>            Reporter: Eugene Koontz
>            Assignee: Eugene Koontz
>             Fix For: 3.4.0, 3.5.0
>
>         Attachments: NIOServerCnxn.patch, ZOOKEEPER-938.patch, 
> ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, 
> ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, 
> ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, 
> ZOOKEEPER-938.patch, ZOOKEEPER-938.patch, jaas.conf, sasl.patch
>
>
> Support Kerberos authentication of clients. 
> The following usage would let an admin use Kerberos authentication to assign 
> ACLs to authenticated clients.
> 1. Admin logs into zookeeper (not necessarily through Kerberos however). 
> 2. Admin decides that a new node called '/mynode' should be owned by the user 
> 'zkclient' and have full permissions on this.
> 3. Admin does: zk> create /mynode content sasl:[email protected]:cdrwa
> 4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.
> 5. User connects to zookeeper server using a Kerberos-enabled version of 
> zkClient (ZookeeperMain).
> 6. Behind the scenes, the client and server exchange authentication 
> information. User is now authenticated as 'zkclient'.
> 7. User accesses /mynode with permissions 'cdrwa'.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to