zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohammad Arshad (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2843) auth_to_local should support reading rules from a file
Date Mon, 28 Jan 2019 06:54:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16753740#comment-16753740
] 

Mohammad Arshad commented on ZOOKEEPER-2843:
--------------------------------------------

security.auth_to_local configuration as string in zoo.cfg is causing problem in branch-3.5
and master

*Reason:*

Every time dynamic configuration file version is changed static configuration file zoo.cfg
is rewritten. While rewriting security.auth_to_local new line characters are lost. This is
breaking the functionality.
 *Scenarios:*
 * security.auth_to_local=RULE:[1:$1]\nRULE:[2:$1]\nDEFAULT
 When ZooKeeper server starts it changes this property to security.auth_to_local=RULE:[1:$1]nRULE:[2:$1]nDEFAULT.
So these rules become invalid.

 * security.auth_to_local=RULE:[1:$1]\\nRULE:[2:$1]
nDEFAULT
 When ZooKeeper server starts it rewrites as the property
 security.auth_to_local=RULE:[1:$1]
 RULE:[2:$1]
 DEFAULT
 This also does not work because in code security.auth_to_local gives value only RULE:[1:$1]
not the complete value.

> auth_to_local should support reading rules from a file
> ------------------------------------------------------
>
>                 Key: ZOOKEEPER-2843
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2843
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: kerberos, server
>    Affects Versions: 3.4.10, 3.5.3
>            Reporter: Lionel Cons
>            Priority: Major
>         Attachments: ZOOKEEPER-2843.patch
>
>
> The current handling of {{zookeeper.security.auth_to_local}} in {{KerberosName.java}}
only supports rules given directly as property value.
> These rules must therefore be given on the command line and:
> * must be escaped properly to avoid shell expansion
> * are visible in the {{ps}} output
> It would be much better to put these rules in a file and pass the file path as the property
value. We would then use something like {{-Dzookeeper.security.auth_to_local=file:/etc/zookeeper/rules}}.
> Note that using the {{file:}} prefix allows keeping backward compatibility.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message