zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL
Date Thu, 03 Nov 2016 21:52:58 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15634408#comment-15634408
] 

Michael Han commented on ZOOKEEPER-1045:
----------------------------------------

[~rakeshr]: Regarding your proposal of doing authorization with shared Kerberos principal
by sending hostname as part of auth packet, my thoughts are authentication and authorization
has to be done together and authorization has a hard dependency on authentication. If an entity
is not authenticated, it seems not making much sense to try to authorize it, as what it claims
might be total bogus. In shared Kerberos credential case, there is no way to authenticate
that the names sent from a server is genuine as opposed to the none shared Kerberos case where
we have names encoded in keytabs, which will be authenticated as part of Kerberos. So, maybe
we just don't not solve this shared kerberos credential authorization problem? If user wants
authorization they can use none-shared kerberos credential.



> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, security
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.10, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch,
QuorumPeer Mutual Authentication Via Sasl Feature Doc - 2016-Sep-25.pdf, TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt,
ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045 Test Plan.pdf, ZOOKEEPER-1045-00.patch,
ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf, org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.testRollingUpgrade.log
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. This bug,
on the other hand, is for authentication among quorum peers. Hopefully much of the work done
on SASL integration with Zookeeper for ZOOKEEPER-938 can be used as a foundation for this
enhancement.
> Review board: https://reviews.apache.org/r/47354/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message