doc/bookkeeperSecurity.textile - bookkeeper - Git at Google

 Title:        BookKeeper Security
 Notice: Licensed under the Apache License, Version 2.0 (the "License");
         you may not use this file except in compliance with the License. You may
         obtain a copy of the License at "http://www.apache.org/licenses/LICENSE-2.0":http://www.apache.org/licenses/LICENSE-2.0.
         .
         .
         Unless required by applicable law or agreed to in writing,
         software distributed under the License is distributed on an "AS IS"
         BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
         implied. See the License for the specific language governing permissions
         and limitations under the License.
         .
         .

 h1. Security in BookKeeper

 Apache BookKeeper is a decentralized platform and there are multiple aspects to deal with while securing an BookKeeper Cluster.

 Metadata are stored on ZooKeeper, so first of all you will need to secure your ZooKeeper cluster, see "ZooKeeper security":https://zookeeper.apache.org/security.html

 Then you have to take care of access to Bookies, you can configure authentication and encryption using TLS, out of the box BookKeeper supports Kerberos authentication, DIGEST-MD5 authentication and TLS encryption. You can also leverage TLS client authentication in order to protect your data.

 h1. ZooKeeper security on BookKeeper

 Both clients and Bookies read and write metadata on ZooKeeper, it is also used for Bookie discovery.
 The best way to protect data stored on ZooKeeper is to put ACLs on every z-node, this way only authorized users will be able to access (read/write) data

 In order to configure BookKeeper and protect ZooKeeper just simply set zkEnableSecurity=true configuration property on Bookie Configuration (conf/bk_server.conf).
 On the client side you have to set zkEnableSecurity property to true or use ClientConfiguration.setZkEnableSecurity(true).

 Beware that your Bookies and your clients MUST successfully authenticate to ZooKeeper cluster.
 You MUST use the same ZooKeeper principal for every Bookie and every Client, this is usually achived by using Kerberos.

 BookKeeper runtime will use ZooDefs.Ids.CREATOR_ALL_ACL ACLs for every new node. You will get InvalidACL it ZooKeeper authentication is not configured.

 In order to make a Bookie authenticate to a secured ZooKeeper cluster you have to:

 - create a jaas.conf file in your "conf" directory (you can just rename conf/jaas_example.conf and change it according to your needs)

 - add -Djava.security.auth.login.config=absolute/path/to/jaas.conf to BOOKIE_EXTRA_OPTS in conf/bkenv.sh

 On the client side you have to follow similar steps but it depends on your application

 Currently there is no migration procedure for changing zkEnableSecurity

 if you are moving to zkEnableSecurity=true, new z-nodes will be 'secured' but old z-nodes will be not covered by ACLs and you will need to set it manually using ZooKeeper tools

 if you are moving to zkEnableSecurity=false you need to reset all ACLs under the z-node set in zkLedgersRootPath, which defaults to '/ledgers'
	Title: BookKeeper Security
	Notice: Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License. You may
	obtain a copy of the License at "http://www.apache.org/licenses/LICENSE-2.0":http://www.apache.org/licenses/LICENSE-2.0.
	.
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an "AS IS"
	BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
	implied. See the License for the specific language governing permissions
	and limitations under the License.
	.
	.

	h1. Security in BookKeeper

	Apache BookKeeper is a decentralized platform and there are multiple aspects to deal with while securing an BookKeeper Cluster.

	Metadata are stored on ZooKeeper, so first of all you will need to secure your ZooKeeper cluster, see "ZooKeeper security":https://zookeeper.apache.org/security.html

	Then you have to take care of access to Bookies, you can configure authentication and encryption using TLS, out of the box BookKeeper supports Kerberos authentication, DIGEST-MD5 authentication and TLS encryption. You can also leverage TLS client authentication in order to protect your data.

	h1. ZooKeeper security on BookKeeper

	Both clients and Bookies read and write metadata on ZooKeeper, it is also used for Bookie discovery.
	The best way to protect data stored on ZooKeeper is to put ACLs on every z-node, this way only authorized users will be able to access (read/write) data

	In order to configure BookKeeper and protect ZooKeeper just simply set zkEnableSecurity=true configuration property on Bookie Configuration (conf/bk_server.conf).
	On the client side you have to set zkEnableSecurity property to true or use ClientConfiguration.setZkEnableSecurity(true).

	Beware that your Bookies and your clients MUST successfully authenticate to ZooKeeper cluster.
	You MUST use the same ZooKeeper principal for every Bookie and every Client, this is usually achived by using Kerberos.

	BookKeeper runtime will use ZooDefs.Ids.CREATOR_ALL_ACL ACLs for every new node. You will get InvalidACL it ZooKeeper authentication is not configured.

	In order to make a Bookie authenticate to a secured ZooKeeper cluster you have to:

	- create a jaas.conf file in your "conf" directory (you can just rename conf/jaas_example.conf and change it according to your needs)

	- add -Djava.security.auth.login.config=absolute/path/to/jaas.conf to BOOKIE_EXTRA_OPTS in conf/bkenv.sh

	On the client side you have to follow similar steps but it depends on your application

	Currently there is no migration procedure for changing zkEnableSecurity

	if you are moving to zkEnableSecurity=true, new z-nodes will be 'secured' but old z-nodes will be not covered by ACLs and you will need to set it manually using ZooKeeper tools

	if you are moving to zkEnableSecurity=false you need to reset all ACLs under the z-node set in zkLedgersRootPath, which defaults to '/ledgers'