Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-1373

Hardcoded SASL login context name clashes with Hadoop security configuration override

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.4.2
    • 3.4.3, 3.5.0
    • java client
    • None

    Description

      I'm trying to configure a process with Hadoop security (Hive metastore server) to talk to ZooKeeper 3.4.2 with Kerberos authentication. In this scenario Hadoop controls the SASL configuration (org.apache.hadoop.security.UserGroupInformation.HadoopConfiguration), instead of setting up the ZooKeeper "Client" loginContext via jaas.conf and system property

      -Djava.security.auth.login.config

      Using the Hadoop configuration would work, except that ZooKeeper client code expects the loginContextName to be "Client" while Hadoop security will use "hadoop-keytab-kerberos". I verified that by changing the name in the debugger the SASL authentication succeeds while otherwise the login configuration cannot be resolved and the connection to ZooKeeper is unauthenticated.

      To integrate with Hadoop, the following in ZooKeeperSaslClient would need to change to make the name configurable:

      login = new Login("Client",new ClientCallbackHandler(null));

      Attachments

        1. ZOOKEEPER-1373.patch
          5 kB
          Eugene Joseph Koontz
        2. ZOOKEEPER-1373-TW_3_4.patch
          3 kB
          Thomas Weise
        3. ZOOKEEPER-1373.patch
          14 kB
          Eugene Joseph Koontz
        4. ZOOKEEPER-1373.patch
          23 kB
          Eugene Joseph Koontz
        5. ZOOKEEPER-1373.patch
          23 kB
          Eugene Joseph Koontz
        6. ZOOKEEPER-1373.patch
          28 kB
          Eugene Joseph Koontz
        7. ZOOKEEPER-1373.patch
          28 kB
          Eugene Joseph Koontz

        Issue Links

          depends upon

          New Feature - A new feature of the product, which has yet to be developed. ZOOKEEPER-938 Support Kerberos authentication of clients.

          • Major - Major loss of function.
          • Closed
          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. HIVE-2712 Make ZooKeeper token store ACL configurable

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-7853 multiple javax security configurations cause conflicts

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1497 Allow server-side SASL login with JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HBASE-4791 Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. ZOOKEEPER-1467 Make server principal configurable at client side.

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-7853 multiple javax security configurations cause conflicts

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              ekoontz Eugene Joseph Koontz
              thw Thomas Weise
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: