[
https://issues.apache.org/jira/browse/HBASE-14426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15047893#comment-15047893
]
Pankaj Kumar commented on HBASE-14426:
--------------------------------------
As per the current code we have assumed it as "sasl" and validating same in
ZooKeeperWatcher,
{code}
if (!user.startsWith(AuthUtil.GROUP_PREFIX) && new Id("sasl",
user).equals(id)) {
return true;
}
{code}
Better we have a configuration for this like
"hbase.zookeeper.authProvider.scheme" with "sasl" default value.
Also while creating ZK ACL we should consider the kerberos realm to append in
user,
{code}
acls.add(new ACL(Perms.ALL, new Id("auth", user)));
{code}
> Authentication provider is hard coded as "auth"
> -----------------------------------------------
>
> Key: HBASE-14426
> URL: https://issues.apache.org/jira/browse/HBASE-14426
> Project: HBase
> Issue Type: Bug
> Components: Zookeeper
> Reporter: Pankaj Kumar
> Assignee: Pankaj Kumar
>
> In ZKUtil.createACL(ZooKeeperWatcher zkw, String node, boolean
> isSecureZooKeeper),
> {code}
> if (superUser != null) {
> acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
> }
> {code}
> Here scheme is presently hard coded as "auth", actually it should be based on
> the auth provider configured at ZK.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
