KNOX-2315 - Fix zookeeper Kerberos Auth

[moresandeep]

What changes were proposed in this pull request?

This PR fixes issues with Zookeeper Kerberos authentication. This PR contains following changes.

1. Fix issues in code that were causing bad configuration issues, such as typos and wrong variable names.
2. For Znodes created by Knox the permissions are more restricted and only knox users can read and write the data to Znodes owned by Knox.
3. Auth scheme for Kerberos authentication is now "sasl"
4. A configuration boolean parameter "backwardsCompatible" is introduced which falls back to old behavior (likely broken behavior)

How was this patch tested?

This patch was locally tested on a secure cluster with Kerberos authentication between Knox and Zookeeper.

[pzampino]

You've defined a method authenticationType(). Why not use that here? Could also have a utility method isKerberosAuth(final String authType) that performs this evaluation. There is nearly identical logic in ZookeeperRemoteAliasService

[moresandeep]

Hmm, agreed that would make things simpler and easier to read as well.

[moresandeep]

authenticationType() method is defined in the private class ClientAdapter so we can't use it. That is also the reason that reusing this code is tricky.

[pzampino]

I was thinking you can define a static method in a class that is accessible to all that need to reference it, which takes a String (the authenticationType() result). Something in the gateway-spi module ?

[pzampino]

It actually may be easier to simply change it to AUTH_TYPE_KERBEROS.equalsIgnoreCase(config.getAuthType()), which would handle the blank or null value check too.

[moresandeep]

Interesting, I did not know equalsIgnoreCase() is null safe, learnt something today :)

[pzampino]

LGTM