zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohammad Arshad (Jira)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3561) Generalize target authentication scheme for ZooKeeper authentication enforcement.
Date Fri, 27 Sep 2019 16:10:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939576#comment-16939576
] 

Mohammad Arshad commented on ZOOKEEPER-3561:
--------------------------------------------

1. In ZOOKEEPER-1634 all properties names are in context of SASL. Now the context is broad
and 3.6.0 is not released yet so i think we can change the property names. Giving new name
to properties.  enforce.auth.enabled and enforce.auth.scheme
2. There is no need to do special handling for allowSaslFailedClients scenario. When enforce
authentication is enabled allowSaslFailedClients is implied to be false. So we can take this
as false in case enforce.auth.enabled=true
Moreover allowSaslFailedClients seems to be a testing property. It makes no sense to enable
enforce authentication and allow failed SASL authentication. If someone wants to allow failed
authentication he will not enable enforce authentication and vice versa.
3. I think it may not be required to introduce new response code SESSIONCLOSEDREQUIRESASLAUTH.
Exploring bit more if we can use AUTHFAILED

> Generalize target authentication scheme for ZooKeeper authentication enforcement.
> ---------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3561
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3561
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.6.0
>            Reporter: Michael Han
>            Assignee: Mohammad Arshad
>            Priority: Major
>
> ZOOKEEPER-1634 introduced an option to allow user enforce authentication for ZooKeeper
clients, but the enforced authentication scheme in committed implementation was SASL only.

> This JIRA is to generalize the authentication scheme such that the authentication enforcement
on ZooKeeper clients could work with any supported authentication scheme.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message