From issues-return-1451-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Thu Sep 26 23:44:03 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 8D4E81804BB for ; Fri, 27 Sep 2019 01:44:02 +0200 (CEST) Received: (qmail 16229 invoked by uid 500); 26 Sep 2019 23:44:02 -0000 Mailing-List: contact issues-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list issues@zookeeper.apache.org Received: (qmail 16220 invoked by uid 99); 26 Sep 2019 23:44:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Sep 2019 23:44:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id E5880E30F5 for ; Thu, 26 Sep 2019 23:44:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 0D60C7804CE for ; Thu, 26 Sep 2019 23:44:00 +0000 (UTC) Date: Thu, 26 Sep 2019 23:44:00 +0000 (UTC) From: "Michael Han (Jira)" To: issues@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ZOOKEEPER-3558) Support authentication enforcement MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ZOOKEEPER-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939031#comment-16939031 ] Michael Han commented on ZOOKEEPER-3558: ---------------------------------------- For 1 - I am not exactly sure if we should back port anything from master to branch-3.5 at this moment. My hope is we should focus on master branch and get 3.6 release out of the door and unify the development / release diverge we created (3.4 as stable release, 3.5 as beta release - which only recently dropped beta tag, and 3.6/master as dev branch) which would save some maintaining overhead for community and contributors. That said, if someone want to back port that JIRA, i am happy to review and commit. For 2 - yes, that's a good idea to generalize. In fact, it was commented in the original PR (https://github.com/apache/zookeeper/pull/118#issuecomment-495386499). This work was scoped out of the original PR and I created https://issues.apache.org/jira/browse/ZOOKEEPER-3561 to track the generalization work. > Support authentication enforcement > ---------------------------------- > > Key: ZOOKEEPER-3558 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3558 > Project: ZooKeeper > Issue Type: New Feature > Reporter: Mohammad Arshad > Assignee: Mohammad Arshad > Priority: Major > Fix For: 3.5.7 > > Attachments: ZOOKEEPER-3558-01.patch > > > Provide authentication enforcement in ZooKeeper that is backward compatible and can work for any authentication scheme, can work even with custom authentication schemes. > *Problems:* > 1. Currently server is starting with default authentication providers(DigestAuthenticationProvider, IPAuthenticationProvider). These default authentication providers are not really secure. > 2. ZooKeeper server is not checking whether authentication is done or not before performing any user operation. > *Solutions:* > 1. We should not start any authentication provider by default. But this would be backward incompatible change. So we can provide configuration whether to start default authentication provides are not. > By default we can start these authentication providers. > 2. Before any user operation server should check whether authentication happened or not. At least client must be authenticated with one authentication scheme. -- This message was sent by Atlassian Jira (v8.3.4#803005)