Jim Klucar
2012-01-04, 20:09
Eric Newton
2012-01-04, 20:48
Jim Klucar
2012-01-05, 02:14
Eric Newton
2012-01-05, 14:27
John W Vines
2012-01-05, 18:19
Keith Turner
2012-01-05, 18:24
John W Vines
2012-01-05, 20:59
-
zookeeper ACL issuesJim Klucar 2012-01-04, 20:09
Hey,
I've been poking at security features of Accumulo, specifically the
user/password stuff in Zookeeper. I was wondering if it would be possible
to abstract away the zookeeper ACL authentication, so we could deploy with
our own instead of using the "digest" ACL stuff in zookeeper. I looked at
doing this but got lost a bit in the innards of how Accumulo authenticates
the znodes. Can anyone provide me some guidance? Specifically, it would be
useful to know what to do to be able to do an ls of the
/accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
Thanks,
Jim
I've been poking at security features of Accumulo, specifically the
user/password stuff in Zookeeper. I was wondering if it would be possible
to abstract away the zookeeper ACL authentication, so we could deploy with
our own instead of using the "digest" ACL stuff in zookeeper. I looked at
doing this but got lost a bit in the innards of how Accumulo authenticates
the znodes. Can anyone provide me some guidance? Specifically, it would be
useful to know what to do to be able to do an ls of the
/accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
Thanks,
Jim
-
Re: zookeeper ACL issuesEric Newton 2012-01-04, 20:48
In fact, that's why there is an abstraction for the Authenticator,
hopefully you can replace it with one of your own.
However, here's the trick for reading the data
zkCli > addauth digest accumulo:DEFAULT
If you have changed the value of "instance.secret" in accumulo-site.xml,
you need to use that value in order to read what is in the node.
The data there is binary, so you'll need to write some java code to decode
it... if your process can read accumulo-site.xml, you can use
ZooReaderWriter to pull the data out: it will always set the additional
auth flags to be able to read those nodes.
Let me know if this doesn't make sense, and I can provide more details.
-Eric
On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> Hey,
>
> I've been poking at security features of Accumulo, specifically the
> user/password stuff in Zookeeper. I was wondering if it would be possible
> to abstract away the zookeeper ACL authentication, so we could deploy with
> our own instead of using the "digest" ACL stuff in zookeeper. I looked at
> doing this but got lost a bit in the innards of how Accumulo authenticates
> the znodes. Can anyone provide me some guidance? Specifically, it would be
> useful to know what to do to be able to do an ls of the
> /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
>
> Thanks,
> Jim
>
hopefully you can replace it with one of your own.
However, here's the trick for reading the data
zkCli > addauth digest accumulo:DEFAULT
If you have changed the value of "instance.secret" in accumulo-site.xml,
you need to use that value in order to read what is in the node.
The data there is binary, so you'll need to write some java code to decode
it... if your process can read accumulo-site.xml, you can use
ZooReaderWriter to pull the data out: it will always set the additional
auth flags to be able to read those nodes.
Let me know if this doesn't make sense, and I can provide more details.
-Eric
On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> Hey,
>
> I've been poking at security features of Accumulo, specifically the
> user/password stuff in Zookeeper. I was wondering if it would be possible
> to abstract away the zookeeper ACL authentication, so we could deploy with
> our own instead of using the "digest" ACL stuff in zookeeper. I looked at
> doing this but got lost a bit in the innards of how Accumulo authenticates
> the znodes. Can anyone provide me some guidance? Specifically, it would be
> useful to know what to do to be able to do an ls of the
> /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
>
> Thanks,
> Jim
>
-
Re: zookeeper ACL issuesJim Klucar 2012-01-05, 02:14
That worked for the CLI. What is the data in there? base64 encoding of the
password?
Have you heard of anyone trying to implement an OAuth style authentication
for the Authenticator? I was thinking I would have to put in a whole layer
that talked to ZK directly for authentication, but perhaps not.
thanks for help.
On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]> wrote:
> In fact, that's why there is an abstraction for the Authenticator,
> hopefully you can replace it with one of your own.
>
> However, here's the trick for reading the data
>
> zkCli > addauth digest accumulo:DEFAULT
>
> If you have changed the value of "instance.secret" in accumulo-site.xml,
> you need to use that value in order to read what is in the node.
>
> The data there is binary, so you'll need to write some java code to decode
> it... if your process can read accumulo-site.xml, you can use
> ZooReaderWriter to pull the data out: it will always set the additional
> auth flags to be able to read those nodes.
>
> Let me know if this doesn't make sense, and I can provide more details.
>
> -Eric
>
> On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
>
> > Hey,
> >
> > I've been poking at security features of Accumulo, specifically the
> > user/password stuff in Zookeeper. I was wondering if it would be possible
> > to abstract away the zookeeper ACL authentication, so we could deploy
> with
> > our own instead of using the "digest" ACL stuff in zookeeper. I looked at
> > doing this but got lost a bit in the innards of how Accumulo
> authenticates
> > the znodes. Can anyone provide me some guidance? Specifically, it would
> be
> > useful to know what to do to be able to do an ls of the
> > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
> >
> > Thanks,
> > Jim
> >
>
password?
Have you heard of anyone trying to implement an OAuth style authentication
for the Authenticator? I was thinking I would have to put in a whole layer
that talked to ZK directly for authentication, but perhaps not.
thanks for help.
On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]> wrote:
> In fact, that's why there is an abstraction for the Authenticator,
> hopefully you can replace it with one of your own.
>
> However, here's the trick for reading the data
>
> zkCli > addauth digest accumulo:DEFAULT
>
> If you have changed the value of "instance.secret" in accumulo-site.xml,
> you need to use that value in order to read what is in the node.
>
> The data there is binary, so you'll need to write some java code to decode
> it... if your process can read accumulo-site.xml, you can use
> ZooReaderWriter to pull the data out: it will always set the additional
> auth flags to be able to read those nodes.
>
> Let me know if this doesn't make sense, and I can provide more details.
>
> -Eric
>
> On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
>
> > Hey,
> >
> > I've been poking at security features of Accumulo, specifically the
> > user/password stuff in Zookeeper. I was wondering if it would be possible
> > to abstract away the zookeeper ACL authentication, so we could deploy
> with
> > our own instead of using the "digest" ACL stuff in zookeeper. I looked at
> > doing this but got lost a bit in the innards of how Accumulo
> authenticates
> > the znodes. Can anyone provide me some guidance? Specifically, it would
> be
> > useful to know what to do to be able to do an ls of the
> > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
> >
> > Thanks,
> > Jim
> >
>
-
Re: zookeeper ACL issuesEric Newton 2012-01-05, 14:27
The contents of the user node is the 8-byte salt and salted SHA-256 of the
user's password. I don't believe there's any encoding: it's just raw bytes.
We have not done anything to extend the authentication system, yet.
Hopefully we'll be able to leverage the tools now being released for the
rest of the Hadoop infrastructure.
-Eric
On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> That worked for the CLI. What is the data in there? base64 encoding of the
> password?
>
> Have you heard of anyone trying to implement an OAuth style authentication
> for the Authenticator? I was thinking I would have to put in a whole layer
> that talked to ZK directly for authentication, but perhaps not.
>
> thanks for help.
>
> On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]> wrote:
>
> > In fact, that's why there is an abstraction for the Authenticator,
> > hopefully you can replace it with one of your own.
> >
> > However, here's the trick for reading the data
> >
> > zkCli > addauth digest accumulo:DEFAULT
> >
> > If you have changed the value of "instance.secret" in accumulo-site.xml,
> > you need to use that value in order to read what is in the node.
> >
> > The data there is binary, so you'll need to write some java code to
> decode
> > it... if your process can read accumulo-site.xml, you can use
> > ZooReaderWriter to pull the data out: it will always set the additional
> > auth flags to be able to read those nodes.
> >
> > Let me know if this doesn't make sense, and I can provide more details.
> >
> > -Eric
> >
> > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> >
> > > Hey,
> > >
> > > I've been poking at security features of Accumulo, specifically the
> > > user/password stuff in Zookeeper. I was wondering if it would be
> possible
> > > to abstract away the zookeeper ACL authentication, so we could deploy
> > with
> > > our own instead of using the "digest" ACL stuff in zookeeper. I looked
> at
> > > doing this but got lost a bit in the innards of how Accumulo
> > authenticates
> > > the znodes. Can anyone provide me some guidance? Specifically, it
> would
> > be
> > > useful to know what to do to be able to do an ls of the
> > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
> > >
> > > Thanks,
> > > Jim
> > >
> >
>
user's password. I don't believe there's any encoding: it's just raw bytes.
We have not done anything to extend the authentication system, yet.
Hopefully we'll be able to leverage the tools now being released for the
rest of the Hadoop infrastructure.
-Eric
On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> That worked for the CLI. What is the data in there? base64 encoding of the
> password?
>
> Have you heard of anyone trying to implement an OAuth style authentication
> for the Authenticator? I was thinking I would have to put in a whole layer
> that talked to ZK directly for authentication, but perhaps not.
>
> thanks for help.
>
> On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]> wrote:
>
> > In fact, that's why there is an abstraction for the Authenticator,
> > hopefully you can replace it with one of your own.
> >
> > However, here's the trick for reading the data
> >
> > zkCli > addauth digest accumulo:DEFAULT
> >
> > If you have changed the value of "instance.secret" in accumulo-site.xml,
> > you need to use that value in order to read what is in the node.
> >
> > The data there is binary, so you'll need to write some java code to
> decode
> > it... if your process can read accumulo-site.xml, you can use
> > ZooReaderWriter to pull the data out: it will always set the additional
> > auth flags to be able to read those nodes.
> >
> > Let me know if this doesn't make sense, and I can provide more details.
> >
> > -Eric
> >
> > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> >
> > > Hey,
> > >
> > > I've been poking at security features of Accumulo, specifically the
> > > user/password stuff in Zookeeper. I was wondering if it would be
> possible
> > > to abstract away the zookeeper ACL authentication, so we could deploy
> > with
> > > our own instead of using the "digest" ACL stuff in zookeeper. I looked
> at
> > > doing this but got lost a bit in the innards of how Accumulo
> > authenticates
> > > the znodes. Can anyone provide me some guidance? Specifically, it
> would
> > be
> > > useful to know what to do to be able to do an ls of the
> > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
> > >
> > > Thanks,
> > > Jim
> > >
> >
>
-
Re: zookeeper ACL issuesJohn W Vines 2012-01-05, 18:19
We've been mumbling about making the authentication system more pluggable. Right now one of the standing issues is that we have the credentials need to perform actions a bit tightly woven with the ZKAuthenticator. These need to be segregated better before more progress can be made allow more authenticators.
John
----- Original Message -----
| From: "Eric Newton" <[EMAIL PROTECTED]>
| To: [EMAIL PROTECTED]
| Sent: Thursday, January 5, 2012 9:27:18 AM
| Subject: Re: zookeeper ACL issues
| The contents of the user node is the 8-byte salt and salted SHA-256 of
| the
| user's password. I don't believe there's any encoding: it's just raw
| bytes.
|
| We have not done anything to extend the authentication system, yet.
| Hopefully we'll be able to leverage the tools now being released for
| the
| rest of the Hadoop infrastructure.
|
| -Eric
|
|
| On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
|
| > That worked for the CLI. What is the data in there? base64 encoding
| > of the
| > password?
| >
| > Have you heard of anyone trying to implement an OAuth style
| > authentication
| > for the Authenticator? I was thinking I would have to put in a whole
| > layer
| > that talked to ZK directly for authentication, but perhaps not.
| >
| > thanks for help.
| >
| > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]>
| > wrote:
| >
| > > In fact, that's why there is an abstraction for the Authenticator,
| > > hopefully you can replace it with one of your own.
| > >
| > > However, here's the trick for reading the data
| > >
| > > zkCli > addauth digest accumulo:DEFAULT
| > >
| > > If you have changed the value of "instance.secret" in
| > > accumulo-site.xml,
| > > you need to use that value in order to read what is in the node.
| > >
| > > The data there is binary, so you'll need to write some java code
| > > to
| > decode
| > > it... if your process can read accumulo-site.xml, you can use
| > > ZooReaderWriter to pull the data out: it will always set the
| > > additional
| > > auth flags to be able to read those nodes.
| > >
| > > Let me know if this doesn't make sense, and I can provide more
| > > details.
| > >
| > > -Eric
| > >
| > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]>
| > > wrote:
| > >
| > > > Hey,
| > > >
| > > > I've been poking at security features of Accumulo, specifically
| > > > the
| > > > user/password stuff in Zookeeper. I was wondering if it would be
| > possible
| > > > to abstract away the zookeeper ACL authentication, so we could
| > > > deploy
| > > with
| > > > our own instead of using the "digest" ACL stuff in zookeeper. I
| > > > looked
| > at
| > > > doing this but got lost a bit in the innards of how Accumulo
| > > authenticates
| > > > the znodes. Can anyone provide me some guidance? Specifically,
| > > > it
| > would
| > > be
| > > > useful to know what to do to be able to do an ls of the
| > > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
| > > >
| > > > Thanks,
| > > > Jim
| > > >
| > >
| >
John
----- Original Message -----
| From: "Eric Newton" <[EMAIL PROTECTED]>
| To: [EMAIL PROTECTED]
| Sent: Thursday, January 5, 2012 9:27:18 AM
| Subject: Re: zookeeper ACL issues
| The contents of the user node is the 8-byte salt and salted SHA-256 of
| the
| user's password. I don't believe there's any encoding: it's just raw
| bytes.
|
| We have not done anything to extend the authentication system, yet.
| Hopefully we'll be able to leverage the tools now being released for
| the
| rest of the Hadoop infrastructure.
|
| -Eric
|
|
| On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
|
| > That worked for the CLI. What is the data in there? base64 encoding
| > of the
| > password?
| >
| > Have you heard of anyone trying to implement an OAuth style
| > authentication
| > for the Authenticator? I was thinking I would have to put in a whole
| > layer
| > that talked to ZK directly for authentication, but perhaps not.
| >
| > thanks for help.
| >
| > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]>
| > wrote:
| >
| > > In fact, that's why there is an abstraction for the Authenticator,
| > > hopefully you can replace it with one of your own.
| > >
| > > However, here's the trick for reading the data
| > >
| > > zkCli > addauth digest accumulo:DEFAULT
| > >
| > > If you have changed the value of "instance.secret" in
| > > accumulo-site.xml,
| > > you need to use that value in order to read what is in the node.
| > >
| > > The data there is binary, so you'll need to write some java code
| > > to
| > decode
| > > it... if your process can read accumulo-site.xml, you can use
| > > ZooReaderWriter to pull the data out: it will always set the
| > > additional
| > > auth flags to be able to read those nodes.
| > >
| > > Let me know if this doesn't make sense, and I can provide more
| > > details.
| > >
| > > -Eric
| > >
| > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]>
| > > wrote:
| > >
| > > > Hey,
| > > >
| > > > I've been poking at security features of Accumulo, specifically
| > > > the
| > > > user/password stuff in Zookeeper. I was wondering if it would be
| > possible
| > > > to abstract away the zookeeper ACL authentication, so we could
| > > > deploy
| > > with
| > > > our own instead of using the "digest" ACL stuff in zookeeper. I
| > > > looked
| > at
| > > > doing this but got lost a bit in the innards of how Accumulo
| > > authenticates
| > > > the znodes. Can anyone provide me some guidance? Specifically,
| > > > it
| > would
| > > be
| > > > useful to know what to do to be able to do an ls of the
| > > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
| > > >
| > > > Thanks,
| > > > Jim
| > > >
| > >
| >
-
Re: zookeeper ACL issuesKeith Turner 2012-01-05, 18:24
I was planning on working ACCUMULO-135 for 1.5. I suppose in the
process of doing this that I could also generalize the authentication
mechanism.
On Thu, Jan 5, 2012 at 1:19 PM, John W Vines <[EMAIL PROTECTED]> wrote:
> We've been mumbling about making the authentication system more pluggable. Right now one of the standing issues is that we have the credentials need to perform actions a bit tightly woven with the ZKAuthenticator. These need to be segregated better before more progress can be made allow more authenticators.
>
> John
>
> ----- Original Message -----
> | From: "Eric Newton" <[EMAIL PROTECTED]>
> | To: [EMAIL PROTECTED]
> | Sent: Thursday, January 5, 2012 9:27:18 AM
> | Subject: Re: zookeeper ACL issues
> | The contents of the user node is the 8-byte salt and salted SHA-256 of
> | the
> | user's password. I don't believe there's any encoding: it's just raw
> | bytes.
> |
> | We have not done anything to extend the authentication system, yet.
> | Hopefully we'll be able to leverage the tools now being released for
> | the
> | rest of the Hadoop infrastructure.
> |
> | -Eric
> |
> |
> | On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> |
> | > That worked for the CLI. What is the data in there? base64 encoding
> | > of the
> | > password?
> | >
> | > Have you heard of anyone trying to implement an OAuth style
> | > authentication
> | > for the Authenticator? I was thinking I would have to put in a whole
> | > layer
> | > that talked to ZK directly for authentication, but perhaps not.
> | >
> | > thanks for help.
> | >
> | > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]>
> | > wrote:
> | >
> | > > In fact, that's why there is an abstraction for the Authenticator,
> | > > hopefully you can replace it with one of your own.
> | > >
> | > > However, here's the trick for reading the data
> | > >
> | > > zkCli > addauth digest accumulo:DEFAULT
> | > >
> | > > If you have changed the value of "instance.secret" in
> | > > accumulo-site.xml,
> | > > you need to use that value in order to read what is in the node.
> | > >
> | > > The data there is binary, so you'll need to write some java code
> | > > to
> | > decode
> | > > it... if your process can read accumulo-site.xml, you can use
> | > > ZooReaderWriter to pull the data out: it will always set the
> | > > additional
> | > > auth flags to be able to read those nodes.
> | > >
> | > > Let me know if this doesn't make sense, and I can provide more
> | > > details.
> | > >
> | > > -Eric
> | > >
> | > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]>
> | > > wrote:
> | > >
> | > > > Hey,
> | > > >
> | > > > I've been poking at security features of Accumulo, specifically
> | > > > the
> | > > > user/password stuff in Zookeeper. I was wondering if it would be
> | > possible
> | > > > to abstract away the zookeeper ACL authentication, so we could
> | > > > deploy
> | > > with
> | > > > our own instead of using the "digest" ACL stuff in zookeeper. I
> | > > > looked
> | > at
> | > > > doing this but got lost a bit in the innards of how Accumulo
> | > > authenticates
> | > > > the znodes. Can anyone provide me some guidance? Specifically,
> | > > > it
> | > would
> | > > be
> | > > > useful to know what to do to be able to do an ls of the
> | > > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
> | > > >
> | > > > Thanks,
> | > > > Jim
> | > > >
> | > >
> | >
process of doing this that I could also generalize the authentication
mechanism.
On Thu, Jan 5, 2012 at 1:19 PM, John W Vines <[EMAIL PROTECTED]> wrote:
> We've been mumbling about making the authentication system more pluggable. Right now one of the standing issues is that we have the credentials need to perform actions a bit tightly woven with the ZKAuthenticator. These need to be segregated better before more progress can be made allow more authenticators.
>
> John
>
> ----- Original Message -----
> | From: "Eric Newton" <[EMAIL PROTECTED]>
> | To: [EMAIL PROTECTED]
> | Sent: Thursday, January 5, 2012 9:27:18 AM
> | Subject: Re: zookeeper ACL issues
> | The contents of the user node is the 8-byte salt and salted SHA-256 of
> | the
> | user's password. I don't believe there's any encoding: it's just raw
> | bytes.
> |
> | We have not done anything to extend the authentication system, yet.
> | Hopefully we'll be able to leverage the tools now being released for
> | the
> | rest of the Hadoop infrastructure.
> |
> | -Eric
> |
> |
> | On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]> wrote:
> |
> | > That worked for the CLI. What is the data in there? base64 encoding
> | > of the
> | > password?
> | >
> | > Have you heard of anyone trying to implement an OAuth style
> | > authentication
> | > for the Authenticator? I was thinking I would have to put in a whole
> | > layer
> | > that talked to ZK directly for authentication, but perhaps not.
> | >
> | > thanks for help.
> | >
> | > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton <[EMAIL PROTECTED]>
> | > wrote:
> | >
> | > > In fact, that's why there is an abstraction for the Authenticator,
> | > > hopefully you can replace it with one of your own.
> | > >
> | > > However, here's the trick for reading the data
> | > >
> | > > zkCli > addauth digest accumulo:DEFAULT
> | > >
> | > > If you have changed the value of "instance.secret" in
> | > > accumulo-site.xml,
> | > > you need to use that value in order to read what is in the node.
> | > >
> | > > The data there is binary, so you'll need to write some java code
> | > > to
> | > decode
> | > > it... if your process can read accumulo-site.xml, you can use
> | > > ZooReaderWriter to pull the data out: it will always set the
> | > > additional
> | > > auth flags to be able to read those nodes.
> | > >
> | > > Let me know if this doesn't make sense, and I can provide more
> | > > details.
> | > >
> | > > -Eric
> | > >
> | > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar <[EMAIL PROTECTED]>
> | > > wrote:
> | > >
> | > > > Hey,
> | > > >
> | > > > I've been poking at security features of Accumulo, specifically
> | > > > the
> | > > > user/password stuff in Zookeeper. I was wondering if it would be
> | > possible
> | > > > to abstract away the zookeeper ACL authentication, so we could
> | > > > deploy
> | > > with
> | > > > our own instead of using the "digest" ACL stuff in zookeeper. I
> | > > > looked
> | > at
> | > > > doing this but got lost a bit in the innards of how Accumulo
> | > > authenticates
> | > > > the znodes. Can anyone provide me some guidance? Specifically,
> | > > > it
> | > would
> | > > be
> | > > > useful to know what to do to be able to do an ls of the
> | > > > /accumulo/<instance>/users/<user> zookeeper path from zkCli.sh
> | > > >
> | > > > Thanks,
> | > > > Jim
> | > > >
> | > >
> | >
-
Re: zookeeper ACL issuesJohn W Vines 2012-01-05, 20:59
https://issues.apache.org/jira/browse/ACCUMULO-259
----- Original Message -----
| From: "Keith Turner" <[EMAIL PROTECTED]>
| To: [EMAIL PROTECTED]
| Sent: Thursday, January 5, 2012 1:24:01 PM
| Subject: Re: zookeeper ACL issues
| I was planning on working ACCUMULO-135 for 1.5. I suppose in the
| process of doing this that I could also generalize the authentication
| mechanism.
|
| On Thu, Jan 5, 2012 at 1:19 PM, John W Vines <[EMAIL PROTECTED]>
| wrote:
| > We've been mumbling about making the authentication system more
| > pluggable. Right now one of the standing issues is that we have the
| > credentials need to perform actions a bit tightly woven with the
| > ZKAuthenticator. These need to be segregated better before more
| > progress can be made allow more authenticators.
| >
| > John
| >
| > ----- Original Message -----
| > | From: "Eric Newton" <[EMAIL PROTECTED]>
| > | To: [EMAIL PROTECTED]
| > | Sent: Thursday, January 5, 2012 9:27:18 AM
| > | Subject: Re: zookeeper ACL issues
| > | The contents of the user node is the 8-byte salt and salted
| > | SHA-256 of
| > | the
| > | user's password. I don't believe there's any encoding: it's just
| > | raw
| > | bytes.
| > |
| > | We have not done anything to extend the authentication system,
| > | yet.
| > | Hopefully we'll be able to leverage the tools now being released
| > | for
| > | the
| > | rest of the Hadoop infrastructure.
| > |
| > | -Eric
| > |
| > |
| > | On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]>
| > | wrote:
| > |
| > | > That worked for the CLI. What is the data in there? base64
| > | > encoding
| > | > of the
| > | > password?
| > | >
| > | > Have you heard of anyone trying to implement an OAuth style
| > | > authentication
| > | > for the Authenticator? I was thinking I would have to put in a
| > | > whole
| > | > layer
| > | > that talked to ZK directly for authentication, but perhaps not.
| > | >
| > | > thanks for help.
| > | >
| > | > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton
| > | > <[EMAIL PROTECTED]>
| > | > wrote:
| > | >
| > | > > In fact, that's why there is an abstraction for the
| > | > > Authenticator,
| > | > > hopefully you can replace it with one of your own.
| > | > >
| > | > > However, here's the trick for reading the data
| > | > >
| > | > > zkCli > addauth digest accumulo:DEFAULT
| > | > >
| > | > > If you have changed the value of "instance.secret" in
| > | > > accumulo-site.xml,
| > | > > you need to use that value in order to read what is in the
| > | > > node.
| > | > >
| > | > > The data there is binary, so you'll need to write some java
| > | > > code
| > | > > to
| > | > decode
| > | > > it... if your process can read accumulo-site.xml, you can use
| > | > > ZooReaderWriter to pull the data out: it will always set the
| > | > > additional
| > | > > auth flags to be able to read those nodes.
| > | > >
| > | > > Let me know if this doesn't make sense, and I can provide more
| > | > > details.
| > | > >
| > | > > -Eric
| > | > >
| > | > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar
| > | > > <[EMAIL PROTECTED]>
| > | > > wrote:
| > | > >
| > | > > > Hey,
| > | > > >
| > | > > > I've been poking at security features of Accumulo,
| > | > > > specifically
| > | > > > the
| > | > > > user/password stuff in Zookeeper. I was wondering if it
| > | > > > would be
| > | > possible
| > | > > > to abstract away the zookeeper ACL authentication, so we
| > | > > > could
| > | > > > deploy
| > | > > with
| > | > > > our own instead of using the "digest" ACL stuff in
| > | > > > zookeeper. I
| > | > > > looked
| > | > at
| > | > > > doing this but got lost a bit in the innards of how Accumulo
| > | > > authenticates
| > | > > > the znodes. Can anyone provide me some guidance?
| > | > > > Specifically,
| > | > > > it
| > | > would
| > | > > be
| > | > > > useful to know what to do to be able to do an ls of the
| > | > > > /accumulo/<instance>/users/<user> zookeeper path from
| > | > > | > | > > >
| > | > > > Thanks,
| > | > > > Jim
| > | > > >
| > | > >
| > | >
----- Original Message -----
| From: "Keith Turner" <[EMAIL PROTECTED]>
| To: [EMAIL PROTECTED]
| Sent: Thursday, January 5, 2012 1:24:01 PM
| Subject: Re: zookeeper ACL issues
| I was planning on working ACCUMULO-135 for 1.5. I suppose in the
| process of doing this that I could also generalize the authentication
| mechanism.
|
| On Thu, Jan 5, 2012 at 1:19 PM, John W Vines <[EMAIL PROTECTED]>
| wrote:
| > We've been mumbling about making the authentication system more
| > pluggable. Right now one of the standing issues is that we have the
| > credentials need to perform actions a bit tightly woven with the
| > ZKAuthenticator. These need to be segregated better before more
| > progress can be made allow more authenticators.
| >
| > John
| >
| > ----- Original Message -----
| > | From: "Eric Newton" <[EMAIL PROTECTED]>
| > | To: [EMAIL PROTECTED]
| > | Sent: Thursday, January 5, 2012 9:27:18 AM
| > | Subject: Re: zookeeper ACL issues
| > | The contents of the user node is the 8-byte salt and salted
| > | SHA-256 of
| > | the
| > | user's password. I don't believe there's any encoding: it's just
| > | raw
| > | bytes.
| > |
| > | We have not done anything to extend the authentication system,
| > | yet.
| > | Hopefully we'll be able to leverage the tools now being released
| > | for
| > | the
| > | rest of the Hadoop infrastructure.
| > |
| > | -Eric
| > |
| > |
| > | On Wed, Jan 4, 2012 at 9:14 PM, Jim Klucar <[EMAIL PROTECTED]>
| > | wrote:
| > |
| > | > That worked for the CLI. What is the data in there? base64
| > | > encoding
| > | > of the
| > | > password?
| > | >
| > | > Have you heard of anyone trying to implement an OAuth style
| > | > authentication
| > | > for the Authenticator? I was thinking I would have to put in a
| > | > whole
| > | > layer
| > | > that talked to ZK directly for authentication, but perhaps not.
| > | >
| > | > thanks for help.
| > | >
| > | > On Wed, Jan 4, 2012 at 3:48 PM, Eric Newton
| > | > <[EMAIL PROTECTED]>
| > | > wrote:
| > | >
| > | > > In fact, that's why there is an abstraction for the
| > | > > Authenticator,
| > | > > hopefully you can replace it with one of your own.
| > | > >
| > | > > However, here's the trick for reading the data
| > | > >
| > | > > zkCli > addauth digest accumulo:DEFAULT
| > | > >
| > | > > If you have changed the value of "instance.secret" in
| > | > > accumulo-site.xml,
| > | > > you need to use that value in order to read what is in the
| > | > > node.
| > | > >
| > | > > The data there is binary, so you'll need to write some java
| > | > > code
| > | > > to
| > | > decode
| > | > > it... if your process can read accumulo-site.xml, you can use
| > | > > ZooReaderWriter to pull the data out: it will always set the
| > | > > additional
| > | > > auth flags to be able to read those nodes.
| > | > >
| > | > > Let me know if this doesn't make sense, and I can provide more
| > | > > details.
| > | > >
| > | > > -Eric
| > | > >
| > | > > On Wed, Jan 4, 2012 at 3:09 PM, Jim Klucar
| > | > > <[EMAIL PROTECTED]>
| > | > > wrote:
| > | > >
| > | > > > Hey,
| > | > > >
| > | > > > I've been poking at security features of Accumulo,
| > | > > > specifically
| > | > > > the
| > | > > > user/password stuff in Zookeeper. I was wondering if it
| > | > > > would be
| > | > possible
| > | > > > to abstract away the zookeeper ACL authentication, so we
| > | > > > could
| > | > > > deploy
| > | > > with
| > | > > > our own instead of using the "digest" ACL stuff in
| > | > > > zookeeper. I
| > | > > > looked
| > | > at
| > | > > > doing this but got lost a bit in the innards of how Accumulo
| > | > > authenticates
| > | > > > the znodes. Can anyone provide me some guidance?
| > | > > > Specifically,
| > | > > > it
| > | > would
| > | > > be
| > | > > > useful to know what to do to be able to do an ls of the
| > | > > > /accumulo/<instance>/users/<user> zookeeper path from
| > | > > | > | > > >
| > | > > > Thanks,
| > | > > > Jim
| > | > > >
| > | > >
| > | >
