zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (Jira)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3558) Support authentication enforcement
Date Thu, 26 Sep 2019 23:44:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939031#comment-16939031
] 

Michael Han commented on ZOOKEEPER-3558:
----------------------------------------

For 1 - I am not exactly sure if we should back port anything from master to branch-3.5 at
this moment. My hope is we should focus on master branch and get 3.6 release out of the door
and unify the development / release diverge we created (3.4 as stable release, 3.5 as beta
release - which only recently dropped beta tag, and 3.6/master as dev branch) which would
save some maintaining overhead for community and contributors. That said, if someone want
to back port that JIRA, i am happy to review and commit.

For 2 - yes, that's a good idea to generalize. In fact, it was commented in the original PR
(https://github.com/apache/zookeeper/pull/118#issuecomment-495386499). This work was scoped
out of the original PR and I created https://issues.apache.org/jira/browse/ZOOKEEPER-3561
to track the generalization work.




> Support authentication enforcement
> ----------------------------------
>
>                 Key: ZOOKEEPER-3558
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3558
>             Project: ZooKeeper
>          Issue Type: New Feature
>            Reporter: Mohammad Arshad
>            Assignee: Mohammad Arshad
>            Priority: Major
>             Fix For: 3.5.7
>
>         Attachments: ZOOKEEPER-3558-01.patch
>
>
> Provide authentication enforcement in ZooKeeper that is backward compatible and can work
for any authentication scheme, can work even with custom authentication schemes.
> *Problems:*
> 1. Currently server is starting with default authentication providers(DigestAuthenticationProvider,
IPAuthenticationProvider). These default authentication providers are not really secure.
> 2. ZooKeeper server is not checking whether authentication is done or not before performing
any user operation.
> *Solutions:*
> 1. We should not start any authentication provider by default. But this would be backward
incompatible change. So we can provide configuration whether to start default authentication
provides are not.
> By default we can start these authentication providers.
> 2. Before any user operation server should check whether authentication happened or not.
At least client must be authenticated with one authentication scheme.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message