zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2937) zookeeper issues with handling authentication...
Date Thu, 16 Nov 2017 03:10:01 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16254680#comment-16254680

ASF GitHub Bot commented on ZOOKEEPER-2937:

GitHub user sriramch opened a pull request:


    [zookeeper-2937] disallow client requests without completing authentication...

    - https://issues.apache.org/jira/browse/ZOOKEEPER-2937
    - do not process data packets, if authentication via providers that
      *requires* authentication aren't completed

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sriramch/zookeeper master

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #418
commit ed6986b83eea71e280976df78b13c44088915efa
Author: Sriram Chandramouli <sriramch@csp0094.csp.corp.gq1.yahoo.com>
Date:   2017-11-15T21:25:29Z

    - https://issues.apache.org/jira/browse/ZOOKEEPER-2937
    - do not process data packets, if authentication via providers that
      *requires* authentication aren't completed

commit 2e2e4b5b4a57212da70e004c402711412b1d6f07
Author: Sriram Chandramouli <sriramch@csp0094.csp.corp.gq1.yahoo.com>
Date:   2017-11-16T02:54:29Z

    - do the auth checks only once after connection establishment before
      processing data packets

commit 74271caa44484b06b435e39cd5e22362bb2c73cf
Author: Sriram Chandramouli <sriramch@csp0094.csp.corp.gq1.yahoo.com>
Date:   2017-11-16T02:57:42Z

    Merge branch 'master' of https://github.com/apache/zookeeper


> zookeeper issues with handling authentication...
> ------------------------------------------------
>                 Key: ZOOKEEPER-2937
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2937
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.4.6
>         Environment: Linux <node_name> 2.6.32-696.6.3.el6.YAHOO.20170712.4.x86_64
#1 SMP Wed Jul 12 01:40:52 UTC 2017 x86_64
> -bash-4.1$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.8 (Santiago)
> java version "1.8.0_25"
> Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
> Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
> /home/y/libexec/ant/bin/ant -version
> Apache Ant(TM) version 1.9.0 compiled on March 5 2013
>            Reporter: Sriram Chandramouli
>             Fix For: 3.4.6
> we have created an authentication provider plugin that can authenticate clients based
on the cert that client is presenting. our zookeeper instance has been configured (and started)
to authenticate and allow only certain appid's. this works as intended when clients (ours
are c-clients) send an auth message via yca_add_auth containing the cert *and* the authentication
provider is configured to allow it.
> however, if the clients do *not* present one (i.e. do not send an auth packet), and if
the authentication provider allows only certain appid's, this connection still goes through
- i.e. clients are able to connect, create/watch nodes etc.! this is unexpected and does *not*
allow us to prevent certain clients from connecting to a zookeeper quorum (as they can still
connect without present any credentials). 
> it looks like zookeeper will only invoke the auth providers if it receives an auth packet
from the client.
> none of this block - https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1060
> ever gets executed, and it directly jumps to this 
> https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1108
> we have a usecase where we only want clients that can present valid credentials to connect
to zookeeper (zk). 
> i was hoping to expose an interface where different auth providers (when they are loaded)
 would let zk know if they need to authenticate a client before processing other data packets.
the default ones (kerberos/ip/digest etc.) would say no to maintain compatibility. our auth
provider can be configured to say yes/no (default no) depending on use-case. zk before processing
a data packet can look at the auth info in the server connection to see the schemes that requires
authentication and have successfully authenticated. connection will succeed if all schemes
that require authentication have successfully authenticated; else, we disable receive.
> can someone please look into this issue and evaluate the proposal? i can work on creating
a pr for this.

This message was sent by Atlassian JIRA

View raw message