-Re: Accessing ZK nodes from pluggable auth module
Warren Turkal 2012-08-02, 23:44
I just filed an issue to track this:
On Thu, Aug 2, 2012 at 1:19 PM, Warren Turkal <[EMAIL PROTECTED]> wrote:
> Ok, so I plumbed a ZKDatabase into the auth plugins. I do this by adding a
> setter to the AuthenticationProvider interface that is called after
> construction so that I can use the current method to construct the
> AuthProviders in the ProviderRegistry. I also added a ZooKeeperServer arg
> to both ProviderRegistry.initialize() and ProviderRegistry.getProvider().
> All the places where getProvider is called happened to have a
> ZooKeeperServer object available for the passing. I also added an
> implementation that does nothing for the setter to each of the existing
> The cool thing is that I get access to the ZKDatabase object on the
> system. This allows me to drive auth decisions from the ZKDatabase.
> Would a patch for this plumbing be interesting in an of itself?
> On Tue, Jul 31, 2012 at 2:37 PM, Warren Turkal <[EMAIL PROTECTED]> wrote:
>> On Tue, Jul 31, 2012 at 2:02 PM, Patrick Hunt <[EMAIL PROTECTED]> wrote:
>> > On Mon, Jul 30, 2012 at 11:04 AM, Warren Turkal <[EMAIL PROTECTED]> wrote:
>> > > I'm sure this is a really newbie type question, but I couldn't find
>> > on
>> > > how to do this.
>> > >
>> > > I am researching making a pluggable auth module. Is there any way to
>> > access
>> > > data in zookeeper nodes from a pluggable auth module? I'd like to
>> > the
>> > > auth data within a collection of zookeeper nodes.
>> > >
>> > We don't provide for this. Wouldn't you need auth for those znodes in
>> > order to provide auth? Seems like a circular problem...
>> The auth can be overridden by other methods just like normally can happen
>> so the auth for these nodes could come from the digest scheme instead of
>> this module. Here's a description of the method I am trying to implement.
>> I want to map a machine (via hostname) to a machine owner. For example,
>> following nodes would exist in the zookeeper with the following contents:
>> - /authdb/owner_principal_machines/ops-full:
>> - /authdb/owner_principal_machines/ops-n00b:
>> If the machine u23-r8.region1.localdomain (owned by dbmaster according to
>> the nodes above) connects to zookeeper, I would like it to be able to do
>> the CLI equivalent of "addauth authdb" to authenticate as the dbmaster
>> For flexibility, there are also hierarchical roles, which are also
>> represented with nodes. Those nodes would look like the following:
>> - /authdb/principal_children/ops
>> - /authdb/principal_children/ops-app1
>> - /authdb/principal_parents/ops-full
>> - /authdb/principal_parents/ops-limited
>> Note that each of the nodes is a full expansion so that only one node
>> to be consulted when determining a match for an id to an ACL.
>> These particular nodes would indicate that any machines owned by the
>> "ops-full" or "ops-limited" would also match the when the ACL was for the
>> "ops" id as well as their own names.
>> Perhaps open a client connection from the auth provider itself? (i'm
>> > not sure if this would work, I don't think anyone ever tried it)
>> Is there any way to get the configuration information so that I can get
>> server names from there, or is there some other way to discover the server
>> names from within the server process so that I don't have to hard code it
>> in some other way?
>> > > Also, I've been unable to send message to this list from another email
>> > > address. I keep getting bounces claiming that the message is spammy.
>> > > anyone else getting rejected similarly?
>> > I haven't heard anything like that. You might check with the Apache