zookeeper-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [zookeeper] eolivelli commented on a change in pull request #118: ZOOKEEPER-1634: hardening security by teaching server to enforce client authentication.
Date Sat, 15 Jun 2019 16:18:31 GMT
eolivelli commented on a change in pull request #118: ZOOKEEPER-1634: hardening security by
teaching server to enforce client authentication.
URL: https://github.com/apache/zookeeper/pull/118#discussion_r294052121
 
 

 ##########
 File path: zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
 ##########
 @@ -1361,27 +1393,39 @@ private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn
cnxn) throws IO
                         cnxn.addAuthInfo(new Id("super", ""));
                     }
                 }
-            }
-            catch (SaslException e) {
+            } catch (SaslException e) {
                 LOG.warn("Client failed to SASL authenticate: " + e, e);
-                if ((System.getProperty("zookeeper.allowSaslFailedClients") != null)
-                  &&
-                  (System.getProperty("zookeeper.allowSaslFailedClients").equals("true")))
{
-                    LOG.warn("Maintaining client connection despite SASL authentication failure.");
+                if (shouldAllowSaslFailedClientsConnect() && !shouldRequireClientSaslAuth())
{
+                  LOG.warn("Maintaining client connection despite SASL authentication failure.");
                 } else {
+                  int error;
+                  if (shouldRequireClientSaslAuth()) {
+                    LOG.warn("Closing client connection due to server requires client SASL
authenticaiton," +
+                        "but client SASL authentication has failed, or client is not configured
with SASL " +
+                        "authentication.");
+                    error = Code.SESSIONCLOSEDREQUIRESASLAUTH.intValue();
+                  } else {
                     LOG.warn("Closing client connection due to SASL authentication failure.");
-                    cnxn.close();
+                    error = Code.AUTHFAILED.intValue();
+                  }
+
+                  ReplyHeader replyHeader = new ReplyHeader(requestHeader.getXid(), 0, error);
+                  cnxn.sendResponse(replyHeader, new SetSASLResponse(null), "response");
+                  cnxn.sendCloseSession();
+                  cnxn.disableRecv();
+                  return;
                 }
             }
-        }
-        catch (NullPointerException e) {
+        } catch (NullPointerException e) {
 
 Review comment:
   This was there before, but actually I think catch NullPointerException is really a code
smell.
   Do you think we could drop this line and improve the code in the scope of this patch?
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message