You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Problem

We want to secure BookKeeper clusters, so at least we have to cover this main issues:

  • SSL/TLS support for encrypting comunications and/or to implement client authentication
  • Use ACLs while writing to ZooKeeper
  • Provide an extensible Authentication framework (in BookKeeper 4.4.0 there is already partial support for this)
    • Provide a out-of-the box plugin which implements standard SASL authentication, with at least support for GSSAPI/Kerberos and DIGEST-MD5 mechs
  • Provide support for Authorization

Proposal

Major concers are about protocol compatibility, configuration on Bookie side and client-side and rolling upgrades.

SSL Support

TBD

Secure ZooKeeper communications

  • in order to implement secure ZooKeeper comunications at least we have to set ACLs which prevent unknown users to modify and/or access ledgers metadata and bookies metadata
  • the idea is to have a global "secure zookeeper comunications", to be set both on bookies and on clients (as bookkeeper clients do the most of the work actually)

Rolling upgrade to switch from authentication types:

My proposal to support the switch from "no-auth" to any plugin is the following:

1) when no auth is configured on bookie-side the default "AuthDisabledPlugin" plugin comes to play

2) when no  auth is configured on bookies the bookie goes to a permissive mode in which any client is allowed to connect and use bookie functions, any 'auth' message will be answered with an OK status code from the AuthDisabledPlugin

3) when no auth is configured on bookies each attempt of authentication by the client will receive the OK status code from the AuthDisabledPlugin, and so the client will understand that the bookie is not performing  authentication, and goes to the authenticated state

 

A rolling upgrade from AuthDisabledPlugin to any other plugin can be implemented by rebooting clients with the new plugin: this way bookies will authenticate clients with AuthDisabledPlugin and clients will go to authenticated state anyway.

Then you will restart bookies with the new plugin and clients will perform real authentication.

Bookie-to-bookie comunications will follow the same scheme during the rolling upgrade, because each bookie can be a client for the other bookies and will authenticate thru the AuthDisabledPlugin flow or to the requested plugin flow.

Attaching the authenticated user to the connection:

Another issue will be to attach to the server-side view of the connection the user-id (principal) of the client which performed authentication, this will be the base for ACLs.

A change to the AuthProvider interface will be needed.

ISSUE: Do we have to add this feature on 4.5.0  as we are breaking compatibility with 4.4 on protocol ?

 

Kerberos support:

TDB

Action

Unable to render Jira issues macro, execution error.

Unable to render Jira issues macro, execution error.

Unable to render Jira issues macro, execution error.

Unable to render Jira issues macro, execution error.

Unable to render Jira issues macro, execution error.

 

  • No labels