[jira] [Commented] (BOOKKEEPER-391) Support Kerberos authentication of bookkeeper

Mon, 14 Nov 2016 06:20:05 -0800 

    [ 
https://issues.apache.org/jira/browse/BOOKKEEPER-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15664044#comment-15664044
 ] 

Enrico Olivelli commented on BOOKKEEPER-391:
--------------------------------------------

thank you [~rakeshr]. The discussion went well and I hope the this feature will 
be pushed on 4.5.0 release.
I see your point about the fact that the Auditor/AutoRecovery has been designed 
as an admin operation.

My original idea was to implement something like your proposal, that is to make 
the clientLoginContext section configurable and pass a value to the BookKeeper 
instance created by the Auditor. This new value in turn could be another 
configuration property, which could default to "BookieAuditor".

{code}
saslClientLoginContextEntry=BookKeeper
saslAuditorLoginContextEntry=BookieAuditor
{code}

When the Auditor creates a BookKeeper client it copies the value from 
saslAuditorLoginContextEntry overriding any other value for 
saslClientLoginContextEntry and the trink is done.


For JAAS/SASL/Kerberos this would work fine, but it requires that special hack 
on the Auditor, that is to deal with a special configuration property which is 
used by the new "SASL Auth Plugin".

Thinking about the general API for AuthProviders IMHO it would be useful to let 
any other AuthPlugin to know whether the client  is going thru authentication 
as a "standard" client or as an "admin"/"system" client.



The "this is the auditor" flag on BookKeeper client configuration will achieve 
this goal.





> Support Kerberos authentication of bookkeeper
> ---------------------------------------------
>
>                 Key: BOOKKEEPER-391
>                 URL: https://issues.apache.org/jira/browse/BOOKKEEPER-391
>             Project: Bookkeeper
>          Issue Type: New Feature
>          Components: bookkeeper-client, bookkeeper-server
>            Reporter: Rakesh R
>            Assignee: Enrico Olivelli
>
> This JIRA to discuss authentication mechanism of bookie clients and server. 
> Assume ZK provides fully secured communication channel using Kerberos based 
> authentication and authorization model. We could also manage and renew users 
> authenticated to BK via Kerberos. There is currently no configuration or 
> hooks for the Bookie process to obtain Kerberos credentials.
> Today an unauthenticated bookie client can easily establish connection with 
> the bookkeeper server. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to