Roberta Marton created TRAFODION-2050:
-----------------------------------------
Summary: Fix a problem we have supporting a Kerberized Zookeeper.
Key: TRAFODION-2050
URL: https://issues.apache.org/jira/browse/TRAFODION-2050
Project: Apache Trafodion
Issue Type: Sub-task
Components: sql-security
Reporter: Roberta Marton
As part of Kerberozing “Trafodion, we want to secure the Trafodion DCS/MXOSRVR
data in ZooKeeper, specifically apply the ACL “auth:sasl:crdwa” to all
/trafodion znodes. The default ACL seems to be “world:anyone:crdwa”, which
means fully open access for everyone.
Once the /trafodion znodes are secured, the ZooKeeper client must authenticate
with Kerberos to access the data. DCS can do this with the ZooKeeper Java
client, after a one-line configuration change in dcs-env.sh. However, MXOSRVR
cannot do this because it uses the ZooKeeper C client, which doesn’t support
Kerberos authentication (see
http://mail-archives.apache.org/mod_mbox/zookeeper-user/201505.mbox/%3CCANLc_9J6b4QCs5QXPFVp7myiOMOMboVme%3DDUNBh4Y-9hY7rHDQ%40mail.gmail.com%3E).
Possible Solutions:
1. Change MXOSRVR to use JNI for all ZooKeeper calls.
2. Reimplement MXOSRVR in Java within the multi-threaded DCS (a new
architecture for MXOSRVR). Until then, use non-secure ACLs for the /trafodion
znodes. To be clear, other znodes would still be secured (e.g., HBase, Hive),
this issue only affects the /trafodion znodes used by DCS/MXOSRVR. As far as we
can tell, the worst case security impact is that someone could delete/modify
the trafodion znodes to cause a Denial of Service (DoS) attack; customer data
would not be compromised.
3. Complete the work for
https://issues.apache.org/jira/browse/ZOOKEEPER-1112 in the ZooKeeper open
source project.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
