zookeeper-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [zookeeper] eolivelli commented on a change in pull request #118: ZOOKEEPER-1634: hardening security by teaching server to enforce client authentication.
Date Sat, 15 Jun 2019 16:18:31 GMT
eolivelli commented on a change in pull request #118: ZOOKEEPER-1634: hardening security by
teaching server to enforce client authentication.
URL: https://github.com/apache/zookeeper/pull/118#discussion_r294052019
 
 

 ##########
 File path: zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
 ##########
 @@ -1322,23 +1322,55 @@ public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer)
throws IOE
             }
             return;
         } else if (h.getType() == OpCode.sasl) {
-            Record rsp = processSasl(incomingBuffer,cnxn);
-            ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
-            cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what is it?
-            return;
+            processSasl(incomingBuffer,cnxn, h);
         } else {
+          if (shouldRequireClientSaslAuth() && !hasCnxSASLAuthenticated(cnxn)) {
+            ReplyHeader replyHeader = new ReplyHeader(h.getXid(), 0,
+                Code.SESSIONCLOSEDREQUIRESASLAUTH.intValue());
+            cnxn.sendResponse(replyHeader, null, "response");
+            cnxn.sendCloseSession();
+            cnxn.disableRecv();
+          } else {
             Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
-              h.getType(), incomingBuffer, cnxn.getAuthInfo());
+                h.getType(), incomingBuffer, cnxn.getAuthInfo());
             si.setOwner(ServerCnxn.me);
             // Always treat packet from the client as a possible
             // local request.
             setLocalSessionFlag(si);
             submitRequest(si);
-            return;
+          }
         }
     }
 
-    private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws IOException
{
+  private boolean shouldAllowSaslFailedClientsConnect() {
+    String allowSaslFailedClients = System.getProperty("zookeeper.allowSaslFailedClients");
+    if (allowSaslFailedClients == null) {
+      return false;
+    } else {
+      return allowSaslFailedClients.equals("true");
+    }
+  }
+
+  private boolean shouldRequireClientSaslAuth() {
+    String sessionRequireClientSASLAuth = System.getProperty("zookeeper.sessionRequireClientSASLAuth");
 
 Review comment:
   Can we sample the system property only once? (At boot for instance).
   We are not on the hot write/read path but reading system properties should be treated like
a slow operation.
   
   Not a blocker

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message