You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@accumulo.apache.org by "John Vines (Created) (JIRA)" <ji...@apache.org> on 2012/01/05 20:52:39 UTC
[jira] [Created] (ACCUMULO-259) ZKAuthentictor needs to be split up
ZKAuthentictor needs to be split up
-----------------------------------
Key: ACCUMULO-259
URL: https://issues.apache.org/jira/browse/ACCUMULO-259
Project: Accumulo
Issue Type: Improvement
Components: master, tserver
Reporter: John Vines
Assignee: Eric Newton
Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "John Vines (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13181628#comment-13181628 ]
John Vines commented on ACCUMULO-259:
-------------------------------------
To elaborate on the changes needed-
The act of checking instance IDs is a system authenticator action (system authenticator meaning the authenticator code that always exists vs. the pluggable authenticator). Authenticating the system user also falls into here. The public authenticateUser is a system action, which should rely on pluggable authenticator's authenticate(AuthInfo) to simply check a users info. Plugging authenticator should trust that the system authenticator made sure the person calling authenticate is allowed to authenticate the given user.
These changes are similar across the other functions- the pluggable authenticator does what is asked, trusting the system authenticator already decided it was okay. The system authenticator will decide this from information derived from the pluggable authenticator. So I pose the following pluggable authenticator interface:
public boolean authenticate(AuthInfo user);
public boolean changePassword(AuthInfo user, byte[] newPass);
public boolean createUser(AuthInfo newUser);
public boolean hasPermission(String user, Table/SystemPermission);
public boolean setPermission(String user, Table/SystemPermission);
public boolean revokePermission(String user, Table/SystemPermission);
public boolean changeAuthorizations(String user, Auths newAuths);
public Auths getAuths(String user);
public void init(String rootuser, byte[] rootPass);
public List<String> users();
public boolean userExists(String user);
This is a quick interface based off of the ZKAuthenticator. The few comments I have on it are-
1. I used the booleans for sets, revokes, etc. in case we have a pluggable authenticator which can fail at it's actions.
2. While I removed the Auths from the calling user because we trust the system authenticator, this may not be possible. There may be pluggable security systems that want to be designed for the Accumulo system user to validate, or another calling user. However, the pluggable security system could have a set of master credentials it uses, so we might want to rely on those. However, regardless if a pluggable system required a master user or not, we will still be doing our own authentication in the system authenticator.
3. This is pretty much identical to the exact Authenticator. But that's the point- we started with the right idea, but we fell off the course. The only real interface changes I'm proposing are dropping getRootUser (ZK should hold this info [but just the name, unless the ZKAuthenticator is being used]), changing many of the results from void to booleans, and possibly dropping parent credentials.
Thoughts?
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "Keith Turner (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182952#comment-13182952 ]
Keith Turner commented on ACCUMULO-259:
---------------------------------------
What would be the reason for two tickets? Are you thinking of making some initial changes in 1.4 and doing more in 1.5?
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "John Vines (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182946#comment-13182946 ]
John Vines commented on ACCUMULO-259:
-------------------------------------
Thought I made a ticket for this, but closest I can find is the comment in ACCUMULO-238 . This is step one. Step two is to do as you described- seperate the 'authority provider' from the 'authenticator'. This way we can let users authenticate against one system that may or may not be able of holding credentials. So, as you said, they could authenticate against one system and then use zookeeper for their various credentials.
And I agree on the errors.
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (ACCUMULO-259) ZKAuthentictor needs
to be split up
Posted by "John Vines (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182946#comment-13182946 ]
John Vines edited comment on ACCUMULO-259 at 1/10/12 12:14 AM:
---------------------------------------------------------------
Thought I made a ticket for this, but closest I can find is the comment in ACCUMULO-238 . This is step one. Step two is to do as you described- seperate the 'authority provider' from the 'authenticator'. This way we can let users authenticate against one system that may or may not be able of holding credentials. So, as you said, they could authenticate against one system and then use zookeeper for their various credentials. This still leaves us with the issue of coming up with a versatile interfaces that provides enough information for most providers. Also, should this be a seperate ticket, or just one large operation?
And I agree on the errors.
was (Author: jvines):
Thought I made a ticket for this, but closest I can find is the comment in ACCUMULO-238 . This is step one. Step two is to do as you described- seperate the 'authority provider' from the 'authenticator'. This way we can let users authenticate against one system that may or may not be able of holding credentials. So, as you said, they could authenticate against one system and then use zookeeper for their various credentials.
And I agree on the errors.
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "John Vines (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Vines reassigned ACCUMULO-259:
-----------------------------------
Assignee: John Vines (was: Eric Newton)
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: John Vines
> Fix For: 1.5.0
>
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "John Vines (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189212#comment-13189212 ]
John Vines commented on ACCUMULO-259:
-------------------------------------
When I do this, I need to remember to take into account comments in ACCUMULO-328
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: John Vines
> Fix For: 1.5.0
>
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "Eric Newton (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13183285#comment-13183285 ]
Eric Newton commented on ACCUMULO-259:
--------------------------------------
I think this is too big to do in 1.4. We won't be able to wedge in anything pluggable in less than 4 weeks, and so we won't really have improved anything for users. In 1.5 we can get it refactored, pluggable and consistent with the rest of the hadoop environment.
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "Keith Turner (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182676#comment-13182676 ]
Keith Turner commented on ACCUMULO-259:
---------------------------------------
This interface suggest that whatever is doing authentication can also hold accumulo specific info about users. I am thinking of the use case where I am running OpenLDAP and I want to use that to authenticate users. However, I do not want to store accumulo specific info in OpenLDAP, I would prefer that is still in zookeeper. Not sure if this is a plausible use case, but it seems like it might be. To better support this use case, we could have two interfaces.
{noformat}
interface Authenticator {
public boolean authenticate(AuthInfo user);
public boolean changePassword(AuthInfo user, byte[] newPass);
public boolean createUser(AuthInfo newUser);
public void init(String rootuser, byte[] rootPass);
public List<String> users();
public boolean userExists(String user);
}
{noformat}
{noformat}
interface UserCapabilities {
public boolean hasPermission(String user, Table/SystemPermission);
public boolean setPermission(String user, Table/SystemPermission);
public boolean revokePermission(String user, Table/SystemPermission);
public boolean changeAuthorizations(String user, Auths newAuths);
public Auths getAuths(String user);
}
{noformat}
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (ACCUMULO-259) ZKAuthentictor needs to be split up
Posted by "John Vines (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Vines updated ACCUMULO-259:
--------------------------------
Fix Version/s: 1.5.0
>From talking with Eric, since he was the last person to really mess with the ZKAuthenticator, there is a good chance that it's roots are spreading more than we imagine. With us really trying to get 1.4 released, I don't think we should push this after all. Instead, lets shoot for 1.5 so we have plenty of time to exercise the interface to make is widely compatible.
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
> Fix For: 1.5.0
>
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "Keith Turner (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182679#comment-13182679 ]
Keith Turner commented on ACCUMULO-259:
---------------------------------------
It may be better to throw an exception instead of returning false when something does not work. A user of the API can forget to check the boolean and nothing will happen. If you do not properly handle the exception, it will percolate up.
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ACCUMULO-259) ZKAuthentictor needs to be split
up
Posted by "John Vines (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ACCUMULO-259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13183265#comment-13183265 ]
John Vines commented on ACCUMULO-259:
-------------------------------------
Well, that's the question. How much do we want to do and when? 1.4 is nearing release and I worry that this change is too big, but I have a feeling that we want to get this pluggable interface in place (primarily due to the release of hadoop 1.0 which has kerberos support). Unless you have an objection, I'm proposing doing the full split (authenticator, authority provider, and proper utilization of these interfaces) for 1.4 so we have them available ASAP.
> ZKAuthentictor needs to be split up
> -----------------------------------
>
> Key: ACCUMULO-259
> URL: https://issues.apache.org/jira/browse/ACCUMULO-259
> Project: Accumulo
> Issue Type: Improvement
> Components: master, tserver
> Reporter: John Vines
> Assignee: Eric Newton
>
> Currently the ZKAuthenticator does both the checking of credentials as well as the functionality of the Authenticator. We need to split those into two different classes for improved testing as well as pluggability of the security scheme.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira