zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andor Molnar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2462) force authentication/authorization
Date Tue, 10 Jul 2018 14:08:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16538648#comment-16538648
] 

Andor Molnar commented on ZOOKEEPER-2462:
-----------------------------------------

[~botond.hejj]

It seems to me that your comments on ZOOKEEPER-1634 are slightly outdated. Now I'm looking
at [~hanm]'s pull request and comparing with your patch

[https://github.com/apache/zookeeper/pull/118]
 # There's no disableWorldAcl options, but in that case I don't it's needed,
 # I can't see that option. I only see one new bool option: sessionRequireClientSASLAuth
to enabled/disable the feature
 # Correct.
 # I think in the pull request it's already finished
 # -""-

The only main difference I can see is that in the other approach the client won't be able
to establish a new session if the first packet after the connection is not an SASL auth packet
with valid authentication. Connection will be immediately closed, therefore server resources
can't be exhausted. Sounds like a more secure approach to me with the trade-off by removing
the 'addAuth' client command feature, but I think it's feasible.

My suggestion is that we could pick where [~hanm] left off the pull request and submit changes
until we get an agreement from the community.

Do you think it would work for you [~botond.hejj] ?

Is there anything which is not included in the pull request and we should add to meet your
requirements?

> force authentication/authorization
> ----------------------------------
>
>                 Key: ZOOKEEPER-2462
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Botond Hejj
>            Priority: Minor
>         Attachments: ZOOKEEPER-2462.patch, ZOOKEEPER-2462.patch
>
>
> This change introduces two new config options to force authorization and authentication:
> 1. disableWorldACL
> The purpose of this option is disable the builtin mechanism which authorizes everyone.
> If it is turned on than the world/anyone usage is ignored. ZooKeeper will not check operations
based on world/anyone.
> This option is useful to force some kind of authorization mechanism. This restriction
is useful in a strictly audited environment.
> 2. forceAuthentication
> If this option is turned on than ZooKeeper won't authorize any operation if the user
has not authenticated either with SASL or with addAuth.
> There is way to enforce SASL authentication but currently there is no way to enforce
authentication using the plugin mechanism. Enforcing authentication for that is more tricky
since authentication can come any time later. This option doesn't drop the connection if there
was no authentication. It is only throwing NoAuth for any operation until the Auth packet
arrives.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message