Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Zookeeper, mail # dev - Accessing ZK nodes from pluggable auth module


Copy link to this message
-
Re: Accessing ZK nodes from pluggable auth module
Warren Turkal 2012-07-31, 21:37
On Tue, Jul 31, 2012 at 2:02 PM, Patrick Hunt <[EMAIL PROTECTED]> wrote:

> On Mon, Jul 30, 2012 at 11:04 AM, Warren Turkal <[EMAIL PROTECTED]> wrote:
> > I'm sure this is a really newbie type question, but I couldn't find docs
> on
> > how to do this.
> >
> > I am researching making a pluggable auth module. Is there any way to
> access
> > data in zookeeper nodes from a pluggable auth module? I'd like to store
> the
> > auth data within a collection of zookeeper nodes.
> >
>
> We don't provide for this. Wouldn't you need auth for those znodes in
> order to provide auth? Seems like a circular problem...
>

The auth can be overridden by other methods just like normally can happen
so the auth for these nodes could come from the digest scheme instead of
this module. Here's a description of the method I am trying to implement.

I want to map a machine (via hostname) to a machine owner. For example, the
following nodes would exist in the zookeeper with the following contents:

   - /authdb/owner_principal_machines/ops-full:
   u23-r8.region1.localdomain
   u24-r23.region1.localdomain
   - /authdb/owner_principal_machines/ops-n00b:
   u12-r7.region1.localdomain
   u13-r8.region1.localdomain

If the machine u23-r8.region1.localdomain (owned by dbmaster according to
the nodes above) connects to zookeeper, I would like it to be able to do
the CLI equivalent of "addauth authdb" to authenticate as the dbmaster role.

For flexibility, there are also hierarchical roles, which are also
represented with nodes. Those nodes would look like the following:

   - /authdb/principal_children/ops
   ops-full
   ops-limited
   - /authdb/principal_children/ops-app1
   ops
   - /authdb/principal_parents/ops-full
   ops
   ops-app1
   - /authdb/principal_parents/ops-limited
   ops
   ops-app1

Note that each of the nodes is a full expansion so that only one node needs
to be consulted when determining a match for an id to an ACL.

These particular nodes would indicate that any machines owned by the
"ops-full" or "ops-limited" would also match the when the ACL was for the
"ops" id as well as their own names.

Perhaps open a client connection from the auth provider itself? (i'm
> not sure if this would work, I don't think anyone ever tried it)
>

Is there any way to get the configuration information so that I can get the
server names from there, or is there some other way to discover the server
names from within the server process so that I don't have to hard code it
in some other way?
> > Also, I've been unable to send message to this list from another email
> > address. I keep getting bounces claiming that the message is spammy. Is
> > anyone else getting rejected similarly?
>
> I haven't heard anything like that. You might check with the Apache
> infra team, they manage the mailing lists (outside regular
> moderation).
>

Thanks for the info. I sent a message to the dev-owner@z.a.o alias. Will
that go anywhere useful?

Thanks,
wt
--
*Warren Turkal*
Site Reliability Engineer |
[EMAIL PROTECTED] | 650-961-3400
www.ooyala.com | blog <http://www.ooyala.com/blog> |
@ooyala<http://www.twitter.com/ooyala>