[jira] Created: (ZOOKEEPER-938) support Kerberos Authentication

["Eugene Koontz (JIRA)" <ji...@apache.org>]

support Kerberos Authentication
-------------------------------

                 Key: ZOOKEEPER-938
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-938
             Project: Zookeeper
          Issue Type: New Feature
          Components: server
            Reporter: Eugene Koontz


Support Keberos authentication of clients. 

The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.

1. Admin logs into zookeeper (not necessarily through Kerberos however). 

2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.

3. Admin does: zk> create /mynode content kerb:zkclient@FOOFERS.ORG:x:cdrwa

(note: for now, the dummy ':x' is a placeholder for the password, and is required by the zk command parser. The user's actual password is not stored within Zookeeper; simply put 'x' there.)

4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.

5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).

6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.

7. User accesses /mynode with permissions 'cdrwa'.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (ZOOKEEPER-938) support Kerberos Authentication

["Eugene Koontz (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eugene Koontz updated ZOOKEEPER-938:
------------------------------------

    Attachment: NIOServerCnxn.patch

Do authentication on server side. Does not include java client-side. Also does not have callback support for renewal of credentials (see discussion in ZOOKEEPER-896 about callbacks and credential renewal).

> support Kerberos Authentication
> -------------------------------
>
>                 Key: ZOOKEEPER-938
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-938
>             Project: Zookeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>         Attachments: NIOServerCnxn.patch
>
>
> Support Keberos authentication of clients. 
> The following usage would let an admin use Kerberos authentication to assign ACLs to authenticated clients.
> 1. Admin logs into zookeeper (not necessarily through Kerberos however). 
> 2. Admin decides that a new node called '/mynode' should be owned by the user 'zkclient' and have full permissions on this.
> 3. Admin does: zk> create /mynode content kerb:zkclient@FOOFERS.ORG:x:cdrwa
> (note: for now, the dummy ':x' is a placeholder for the password, and is required by the zk command parser. The user's actual password is not stored within Zookeeper; simply put 'x' there.)
> 4. User 'zkclient' logins to kerberos using the command line utility 'kinit'.
> 5. User connects to zookeeper server using a Kerberos-enabled version of zkClient (ZookeeperMain).
> 6. Behind the scenes, the client and server exchange authentication information. User is now authenticated as 'zkclient'.
> 7. User accesses /mynode with permissions 'cdrwa'.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.