zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sriram Chandramouli (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-2937) zookeeper issues with handling authentication...
Date Wed, 08 Nov 2017 16:31:00 GMT
Sriram Chandramouli created ZOOKEEPER-2937:
----------------------------------------------

             Summary: zookeeper issues with handling authentication...
                 Key: ZOOKEEPER-2937
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2937
             Project: ZooKeeper
          Issue Type: Bug
          Components: server
    Affects Versions: 3.4.6
         Environment: Linux <node_name> 2.6.32-696.6.3.el6.YAHOO.20170712.4.x86_64 #1
SMP Wed Jul 12 01:40:52 UTC 2017 x86_64

-bash-4.1$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)

java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

/home/y/libexec/ant/bin/ant -version
Apache Ant(TM) version 1.9.0 compiled on March 5 2013

            Reporter: Sriram Chandramouli
             Fix For: 3.4.6


we have created an authentication provider plugin that can authenticate clients based on the
cert that client is presenting. our zookeeper instance has been configured (and started) to
authenticate and allow only certain appid's. this works as intended when clients (ours are
c-clients) send an auth message via yca_add_auth containing the cert *and* the authentication
provider is configured to allow it.

however, if the clients do *not* present one (i.e. do not send an auth packet), and if the
authentication provider allows only certain appid's, this connection still goes through -
i.e. clients are able to connect, create/watch nodes etc.! this is unexpected and does *not*
allow us to prevent certain clients from connecting to a zookeeper quorum (as they can still
connect without present any credentials). 

it looks like zookeeper will only invoke the auth providers if it receives an auth packet
from the client.

none of this block - https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1060

ever gets executed, and it directly jumps to this 

https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1108

we have a usecase where we only want clients that can present valid credentials to connect
to zookeeper (zk). 

i was hoping to expose an interface where different auth providers (when they are loaded)
 would let zk know if they need to authenticate a client before processing other data packets.
the default ones (kerberos/ip/digest etc.) would say no to maintain compatibility. our auth
provider can be configured to say yes/no (default no) depending on use-case. zk before processing
a data packet can look at the auth info in the server connection to see the schemes that requires
authentication and have successfully authenticated. connection will succeed if all schemes
that require authentication have successfully authenticated; else, we disable receive.

can someone please look into this issue and evaluate the proposal? i can work on creating
a pr for this.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message