zookeeper-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [zookeeper] eolivelli commented on a change in pull request #118: ZOOKEEPER-1634: hardening security by teaching server to enforce client authentication.
Date Sat, 15 Jun 2019 16:18:31 GMT
eolivelli commented on a change in pull request #118: ZOOKEEPER-1634: hardening security by
teaching server to enforce client authentication.
URL: https://github.com/apache/zookeeper/pull/118#discussion_r294052033
 
 

 ##########
 File path: zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
 ##########
 @@ -1322,23 +1322,55 @@ public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer)
throws IOE
             }
             return;
         } else if (h.getType() == OpCode.sasl) {
-            Record rsp = processSasl(incomingBuffer,cnxn);
-            ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
-            cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what is it?
-            return;
+            processSasl(incomingBuffer,cnxn, h);
         } else {
+          if (shouldRequireClientSaslAuth() && !hasCnxSASLAuthenticated(cnxn)) {
+            ReplyHeader replyHeader = new ReplyHeader(h.getXid(), 0,
+                Code.SESSIONCLOSEDREQUIRESASLAUTH.intValue());
+            cnxn.sendResponse(replyHeader, null, "response");
+            cnxn.sendCloseSession();
+            cnxn.disableRecv();
+          } else {
             Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
-              h.getType(), incomingBuffer, cnxn.getAuthInfo());
+                h.getType(), incomingBuffer, cnxn.getAuthInfo());
             si.setOwner(ServerCnxn.me);
             // Always treat packet from the client as a possible
             // local request.
             setLocalSessionFlag(si);
             submitRequest(si);
-            return;
+          }
         }
     }
 
-    private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws IOException
{
+  private boolean shouldAllowSaslFailedClientsConnect() {
+    String allowSaslFailedClients = System.getProperty("zookeeper.allowSaslFailedClients");
+    if (allowSaslFailedClients == null) {
+      return false;
+    } else {
+      return allowSaslFailedClients.equals("true");
+    }
+  }
+
+  private boolean shouldRequireClientSaslAuth() {
+    String sessionRequireClientSASLAuth = System.getProperty("zookeeper.sessionRequireClientSASLAuth");
+    if (sessionRequireClientSASLAuth == null) {
+      return false;
+    } else {
+      return sessionRequireClientSASLAuth.equals("true");
+    }
+  }
+
+  private boolean hasCnxSASLAuthenticated(ServerCnxn cnxn) {
+    for (Id id : cnxn.getAuthInfo()) {
+      if (id.getScheme().equals("sasl")) {
 
 Review comment:
   Do we have a constant for 'sasl'?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message