ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andor Molnar (Jira)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-924) Support Authorization and Auditing for Zookeeper
Date Wed, 02 Oct 2019 13:33:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16942814#comment-16942814
] 

Andor Molnar commented on RANGER-924:
-------------------------------------

Hi [~bosco]

This is a very impressive initiative and would a great contribution for both Ranger and ZooKeeper.
Perhaps I could be some help for you, as I have some experience with ZooKeeper already and
happy to learn about Ranger.

How would you imagine the integration?

*AuthN* in ZooKeeper is essentially based on SASL and Kerberos. There're some other less secure
options present, but most production clusters are running on Kerberos. One small thing is
missing here: ZooKeeper cannot enforce authentication, it needs to be implemented.

[https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication]

*AuthZ* is based on ZooKeeper ACLs.  

[https://zookeeper.apache.org/doc/r3.5.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl]

One major caveat with ZooKeeper ACLs is that they're not recursive and I believe this is the
place where Ranger integration could be a huge improvement. Ranger would be able to change
ACLs on all affected nodes whenever something is changed in the access model.

*Audit*

Currently there's no specific audit logging implemented in ZooKeeper. This could be another
aspect to jump in and improve ZooKeeper, but I'm not sure about the details. There's an open
Jira for this: https://issues.apache.org/jira/browse/ZOOKEEPER-1260 that we might want to
pick up and continue from that.

> Support Authorization and Auditing for Zookeeper
> ------------------------------------------------
>
>                 Key: RANGER-924
>                 URL: https://issues.apache.org/jira/browse/RANGER-924
>             Project: Ranger
>          Issue Type: Improvement
>            Reporter: Bosco
>            Priority: Major
>
> Most of the Hadoop components are storing their states in Zookeeper. And some products
(Kafka and Solr) are even storing security policies in Zookeeper.
> Since there are no human interaction with Zookeeper, very often, setting up access controls
to Zookeeper are ignored. However, it is very critical to ensure that proper authorization
controls are setup for Zookeeper and all access are audited.
> If would be good if some familiar with Zookeeper can work on a Ranger plugin for Zookeeper.
Or help the Ranger team to come with the integration design.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message