From issues-return-427-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Wed Jul 24 16:02:04 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id D7C6018025F for ; Wed, 24 Jul 2019 18:02:03 +0200 (CEST) Received: (qmail 75410 invoked by uid 500); 24 Jul 2019 16:02:03 -0000 Mailing-List: contact issues-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list issues@zookeeper.apache.org Received: (qmail 75398 invoked by uid 99); 24 Jul 2019 16:02:03 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jul 2019 16:02:03 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 43834E2F23 for ; Wed, 24 Jul 2019 16:02:02 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 77CF8265F4 for ; Wed, 24 Jul 2019 16:02:01 +0000 (UTC) Date: Wed, 24 Jul 2019 16:02:01 +0000 (UTC) From: "Enrico Olivelli (JIRA)" To: issues@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (ZOOKEEPER-1634) A new feature proposal to ZooKeeper: authentication enforcement MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ZOOKEEPER-1634?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Enrico Olivelli resolved ZOOKEEPER-1634. ---------------------------------------- Resolution: Fixed > A new feature proposal to ZooKeeper: authentication enforcement > --------------------------------------------------------------- > > Key: ZOOKEEPER-1634 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1634 > Project: ZooKeeper > Issue Type: New Feature > Components: security, server > Affects Versions: 3.4.5 > Reporter: Jaewoong Choi > Assignee: Michael Han > Priority: Major > Labels: pull-request-available > Fix For: 3.6.0 > > Attachments: zookeeper_3.4.5_patch_for_authentication_enforcement.patch > > Original Estimate: 72h > Time Spent: 4.5h > Remaining Estimate: 67.5h > > Up to the version of 3.4.5, ZooKeeperServer doesn't force the authentication if the client doesn't give any auth-info through ZooKeeper#addAuthInfo method invocation. Hence, every znode should have at least one ACL assigned otherwise any unauthenticated client can do anything on it. > The current authentication/authorization mechanism of ZooKeeper described above has several points at issue: > 1. At security standpoint, a maleficent client can access a znode which doesn't have any proper authorization access control set. > 2. At runtime performance standpoint, authorization for every znode to every operation is unnecessarily but always evaluated against the client who bypassed the authentication phase. > In other words, the current mechanism doesn't address a certain requirement at below: > "We want to protect a ZK server by enforcing a simple authentication to every client no matter which znode it is trying to access. Every connection (or operation) from the client won't be established but rejected if it doesn't come with a valid authentication information. As we don't have any other distinction between znodes in term of authorization, we don't want any ACLs on any znode." > To address the issues mentioned above, we propose a feature called "authentication enforcement" to the ZK source. The idea is roughly but clearly described in a form of patch in the attached file (zookeeper_3.4.5_patch_for_authentication_enforcement.patch): which makes ZooKeeperServer enforce the authentication with the given 2 configurations: authenticationEnforced (boolean) and enforcedAuthenticationScheme (string) against every operation coming through ZooKeeperServer#processPacket method except for OpCode.auth operation. The repository base of the patch is "http://svn.apache.org/repos/asf/zookeeper/tags/release-3.4.5/" -- This message was sent by Atlassian JIRA (v7.6.14#76016)