zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Botond Hejj (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-2462) force authentication/authorization
Date Fri, 01 Jul 2016 14:50:11 GMT
Botond Hejj created ZOOKEEPER-2462:
--------------------------------------

             Summary: force authentication/authorization
                 Key: ZOOKEEPER-2462
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
             Project: ZooKeeper
          Issue Type: New Feature
          Components: server
            Reporter: Botond Hejj
            Priority: Minor


This change introduces two new config options to force authorization and authentication:

1. disableWorldACL
The purpose of this option is disable the builtin mechanism which authorizes everyone.
If it is turned on than the world/anyone usage is ignored. ZooKeeper will not check operations
based on world/anyone.
This option is useful to force some kind of authorization mechanism. This restriction is useful
in a strictly audited environment.

2. forceAuthentication
If this option is turned on than ZooKeeper won't authorize any operation if the user has not
authenticated either with SASL or with addAuth.
There is way to enforce SASL authentication but currently there is no way to enforce authentication
using the plugin mechanism. Enforcing authentication for that is more tricky since authentication
can come any time later. This option doesn't drop the connection if there was no authentication.
It is only throwing NoAuth for any operation until the Auth packet arrives.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message