zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Botond Hejj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2462) force authentication/authorization
Date Thu, 28 Jun 2018 11:29:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16526225#comment-16526225
] 

Botond Hejj commented on ZOOKEEPER-2462:
----------------------------------------

Hi [~andorm],

I have previously commented on 1634. I see that patch is not updated since that time and still
unfinished.

I see also now 2526. I don't see a patch there. My patch would solve that Jira as well I believe.
If forceAuthentication is turned clients which will fail SASL auth. Similarly to the proposed allowAnonLogin=False.

The only feature I see missing is more related to 1634. In my patch it is not possible to
filter the authentication enforcement to a specific scheme. If we would like to add that as
well than instead of boolean we would need an option with the list of enforced schemes. Enforcing
only a single scheme doesn't work for me.

 

 

> force authentication/authorization
> ----------------------------------
>
>                 Key: ZOOKEEPER-2462
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Botond Hejj
>            Priority: Minor
>         Attachments: ZOOKEEPER-2462.patch, ZOOKEEPER-2462.patch
>
>
> This change introduces two new config options to force authorization and authentication:
> 1. disableWorldACL
> The purpose of this option is disable the builtin mechanism which authorizes everyone.
> If it is turned on than the world/anyone usage is ignored. ZooKeeper will not check operations
based on world/anyone.
> This option is useful to force some kind of authorization mechanism. This restriction
is useful in a strictly audited environment.
> 2. forceAuthentication
> If this option is turned on than ZooKeeper won't authorize any operation if the user
has not authenticated either with SASL or with addAuth.
> There is way to enforce SASL authentication but currently there is no way to enforce
authentication using the plugin mechanism. Enforcing authentication for that is more tricky
since authentication can come any time later. This option doesn't drop the connection if there
was no authentication. It is only throwing NoAuth for any operation until the Auth packet
arrives.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message