zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Junqueira <...@apache.org>
Subject Re: QOP SASL property
Date Fri, 09 Oct 2015 14:02:07 GMT
Not in the 3.4 branch, which is the latest stable branch at the moment.

-Flavio

> On 09 Oct 2015, at 15:00, Ivan Kelly <ivank@apache.org> wrote:
> 
> Is auth-int necessary if we have SSL on the client (as there is in trunk)?
> My understanding is that all comms would have to be wrapped by sasl if you
> have QOP enabled.
> 
> -Ivan
> 
> On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <fpj@apache.org> wrote:
> 
>> Hi Chris,
>> 
>> Yeah, I was thinking along the same lines, so sounds like a plan. I know
>> Raul is going to hate me for this, but I'd really like to have this in
>> 3.4.7. It sounds like a simple enough change that we can have in shortly,
>> does it sound right?
>> 
>> Please go ahead with the jira if you have time, and if you don't have time
>> to work on the patch, just assign it to me.
>> 
>> -Flavio
>> 
>> 
>>> On 08 Oct 2015, at 23:16, Chris Nauroth <cnauroth@hortonworks.com>
>> wrote:
>>> 
>>> Hi Flavio,
>>> 
>>> It appears that the current code doesn't give us any way to control the
>>> QOP, so it must be always using the default QOP of "auth" (authentication
>>> only).  This is because the calls to Sasl#createSaslClient and
>>> Sasl#createSaslServer pass a hard-coded null for the properties map.
>>> 
>>> 
>> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
>>> keeper/client/ZooKeeperSaslClient.java#L240
>>> 
>>> 
>>> 
>> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
>>> keeper/client/ZooKeeperSaslClient.java#L288
>>> 
>>> 
>>> 
>> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
>>> keeper/server/ZooKeeperSaslServer.java#L118
>>> 
>>> 
>>> 
>> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
>>> keeper/server/ZooKeeperSaslServer.java#L144
>>> 
>>> 
>>> If we want to support setting QOP to "auth-int" (authentication +
>>> integrity/man-in-the-middle tampering protection) or "auth-conf"
>>> (authentication + integrity + confidentiality/encryption), then I think
>>> we'll need to make code changes to read a new QOP configuration property,
>>> put it into a Map using Sasl#QOP as the key, and then pass it along to
>> the
>>> Sasl#createSaslClient and Sasl#createSaslServer calls.
>>> 
>>> Is this what you need?  If so, then I'd be happy to write up the proposal
>>> in a new JIRA.  I didn't find any existing open JIRAs that look relevant.
>>> 
>>> --Chris Nauroth
>>> 
>>> 
>>> 
>>> 
>>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <fpj@apache.org> wrote:
>>> 
>>>> Has anyone tried to use the QOP (Quality of Protection) property for
>> SASL
>>>> when running ZooKeeper?
>>>> 
>>>> -Flavio
>>> 
>> 
>> 


Mime
View raw message