[ https://issues.apache.org/jira/browse/ZOOKEEPER-938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eugene Koontz updated ZOOKEEPER-938: ------------------------------------ Attachment: NIOServerCnxn.patch Do authentication on server side. Does not include java client-side. Also does not have callback support for renewal of credentials (see discussion in ZOOKEEPER-896 about callbacks and credential renewal). > support Kerberos Authentication > ------------------------------- > > Key: ZOOKEEPER-938 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-938 > Project: Zookeeper > Issue Type: New Feature > Components: server > Reporter: Eugene Koontz > Attachments: NIOServerCnxn.patch > > > Support Keberos authentication of clients. > The following usage would let an admin use Kerberos authentication to assign > ACLs to authenticated clients. > 1. Admin logs into zookeeper (not necessarily through Kerberos however). > 2. Admin decides that a new node called '/mynode' should be owned by the user > 'zkclient' and have full permissions on this. > 3. Admin does: zk> create /mynode content kerb:zkcli...@foofers.org:x:cdrwa > (note: for now, the dummy ':x' is a placeholder for the password, and is > required by the zk command parser. The user's actual password is not stored > within Zookeeper; simply put 'x' there.) > 4. User 'zkclient' logins to kerberos using the command line utility 'kinit'. > 5. User connects to zookeeper server using a Kerberos-enabled version of > zkClient (ZookeeperMain). > 6. Behind the scenes, the client and server exchange authentication > information. User is now authenticated as 'zkclient'. > 7. User accesses /mynode with permissions 'cdrwa'. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.