zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (Jira)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3558) Support authentication enforcement
Date Thu, 26 Sep 2019 23:44:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939031#comment-16939031

Michael Han commented on ZOOKEEPER-3558:

For 1 - I am not exactly sure if we should back port anything from master to branch-3.5 at
this moment. My hope is we should focus on master branch and get 3.6 release out of the door
and unify the development / release diverge we created (3.4 as stable release, 3.5 as beta
release - which only recently dropped beta tag, and 3.6/master as dev branch) which would
save some maintaining overhead for community and contributors. That said, if someone want
to back port that JIRA, i am happy to review and commit.

For 2 - yes, that's a good idea to generalize. In fact, it was commented in the original PR
(https://github.com/apache/zookeeper/pull/118#issuecomment-495386499). This work was scoped
out of the original PR and I created https://issues.apache.org/jira/browse/ZOOKEEPER-3561
to track the generalization work.

> Support authentication enforcement
> ----------------------------------
>                 Key: ZOOKEEPER-3558
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3558
>             Project: ZooKeeper
>          Issue Type: New Feature
>            Reporter: Mohammad Arshad
>            Assignee: Mohammad Arshad
>            Priority: Major
>             Fix For: 3.5.7
>         Attachments: ZOOKEEPER-3558-01.patch
> Provide authentication enforcement in ZooKeeper that is backward compatible and can work
for any authentication scheme, can work even with custom authentication schemes.
> *Problems:*
> 1. Currently server is starting with default authentication providers(DigestAuthenticationProvider,
IPAuthenticationProvider). These default authentication providers are not really secure.
> 2. ZooKeeper server is not checking whether authentication is done or not before performing
any user operation.
> *Solutions:*
> 1. We should not start any authentication provider by default. But this would be backward
incompatible change. So we can provide configuration whether to start default authentication
provides are not.
> By default we can start these authentication providers.
> 2. Before any user operation server should check whether authentication happened or not.
At least client must be authenticated with one authentication scheme.

This message was sent by Atlassian Jira

View raw message