Friday, December 28, 2012

Zookeeper, Netflix Curator and ACLs

If you have one or more Zookeeper "multi-tenant" clusters you may want to protect znodes against unwanted modifications.
Here is a very simple and short introduction to the ACL and custom authentication features.
This post is not intended to give you best practices about security and Zookeeper, the only goal is to give you a complete example of a custom authentication handler.

Complete source code with JUnit test is available here :

Use case

Let say that your Zookeeper cluster is used by several users. In order to restrict user actions you have decided that each user must prefix all paths with the first letter of his name.
  • User foo is only allowed to create, read, delete and update znodes under the /f znode.
  • User bar is only allowed to create, read, delete and update znodes under the /b znode.

Get client authentication data on the server side

Zookeeper client authentication can be easily customized , all you have to do is to create a class that extends org.apache.zookeeper.server.auth.AuthenticationProvider :
Once it is done you must tell Zookeeper server to use it, this can be done by setting the Java system property zookeeper.authProvider.x (where x is an integer)
You can do this in a startup script but we want to use a JUnit test :

Let Zookeeper client automatically set ACLs with Curator

Curator helps you to automatically set right ACLs on znodes. This can be done providing an ACLProvider implementation :
Register you ACL provider using the Curator client builder :
Add client authentication data using the previous builder : Complete JUnit test with a Zookeeper testing server using the Curator framework is available here