zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1634) A new feature proposal to ZooKeeper: authentication enforcement
Date Wed, 24 Jul 2019 04:12:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16891586#comment-16891586

Hadoop QA commented on ZOOKEEPER-1634:

+1 overall.  GitHub Pull Request  Build

    +1 @author.  The patch does not contain any @author tags.

    +1 tests included.  The patch appears to include 16 new or modified tests.

    +1 javadoc.  The javadoc tool did not generate any warning messages.

    +1 javac.  The applied patch does not increase the total number of javac compiler warnings.

    +1 findbugs.  The patch does not introduce any new Findbugs (version 3.0.1) warnings.

    +1 release audit.  The applied patch does not increase the total number of release audit

    +1 core tests.  The patch passed core unit tests.

    +1 contrib tests.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/4070//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/4070//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/4070//console

This message is automatically generated.

> A new feature proposal to ZooKeeper: authentication enforcement
> ---------------------------------------------------------------
>                 Key: ZOOKEEPER-1634
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1634
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: security, server
>    Affects Versions: 3.4.5
>            Reporter: Jaewoong Choi
>            Assignee: Michael Han
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.6.0
>         Attachments: zookeeper_3.4.5_patch_for_authentication_enforcement.patch
>   Original Estimate: 72h
>          Time Spent: 4h
>  Remaining Estimate: 68h
> Up to the version of 3.4.5, ZooKeeperServer doesn't force the authentication if the client
doesn't give any auth-info through ZooKeeper#addAuthInfo method invocation.  Hence, every
znode should have at least one ACL assigned otherwise any unauthenticated client can do anything
on it.
> The current authentication/authorization mechanism of ZooKeeper described above has several
points at issue:
> 1. At security standpoint, a maleficent client can access a znode which doesn't have
any proper authorization access control set.
> 2. At runtime performance standpoint, authorization for every znode to every operation
is unnecessarily but always evaluated against the client who bypassed the authentication phase.
> In other words, the current mechanism doesn't address a certain requirement at below:
> "We want to protect a ZK server by enforcing a simple authentication to every client
no matter which znode it is trying to access.  Every connection (or operation) from the client
won't be established but rejected if it doesn't come with a valid authentication information.
 As we don't have any other distinction between znodes in term of authorization, we don't
want any ACLs on any znode."
> To address the issues mentioned above, we propose a feature called "authentication enforcement"
to the ZK source.  The idea is roughly but clearly described in a form of patch in the attached
file (zookeeper_3.4.5_patch_for_authentication_enforcement.patch): which makes ZooKeeperServer
enforce the authentication with the given 2 configurations: authenticationEnforced (boolean)
and enforcedAuthenticationScheme (string) against every operation coming through ZooKeeperServer#processPacket
method except for OpCode.auth operation.  The repository base of the patch is "http://svn.apache.org/repos/asf/zookeeper/tags/release-3.4.5/"

This message was sent by Atlassian JIRA

View raw message