zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Kelly <iv...@apache.org>
Subject Re: QOP SASL property
Date Fri, 09 Oct 2015 14:00:45 GMT
Is auth-int necessary if we have SSL on the client (as there is in trunk)?
My understanding is that all comms would have to be wrapped by sasl if you
have QOP enabled.

-Ivan

On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <fpj@apache.org> wrote:

> Hi Chris,
>
> Yeah, I was thinking along the same lines, so sounds like a plan. I know
> Raul is going to hate me for this, but I'd really like to have this in
> 3.4.7. It sounds like a simple enough change that we can have in shortly,
> does it sound right?
>
> Please go ahead with the jira if you have time, and if you don't have time
> to work on the patch, just assign it to me.
>
> -Flavio
>
>
> > On 08 Oct 2015, at 23:16, Chris Nauroth <cnauroth@hortonworks.com>
> wrote:
> >
> > Hi Flavio,
> >
> > It appears that the current code doesn't give us any way to control the
> > QOP, so it must be always using the default QOP of "auth" (authentication
> > only).  This is because the calls to Sasl#createSaslClient and
> > Sasl#createSaslServer pass a hard-coded null for the properties map.
> >
> >
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> > keeper/client/ZooKeeperSaslClient.java#L240
> >
> >
> >
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> > keeper/client/ZooKeeperSaslClient.java#L288
> >
> >
> >
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> > keeper/server/ZooKeeperSaslServer.java#L118
> >
> >
> >
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> > keeper/server/ZooKeeperSaslServer.java#L144
> >
> >
> > If we want to support setting QOP to "auth-int" (authentication +
> > integrity/man-in-the-middle tampering protection) or "auth-conf"
> > (authentication + integrity + confidentiality/encryption), then I think
> > we'll need to make code changes to read a new QOP configuration property,
> > put it into a Map using Sasl#QOP as the key, and then pass it along to
> the
> > Sasl#createSaslClient and Sasl#createSaslServer calls.
> >
> > Is this what you need?  If so, then I'd be happy to write up the proposal
> > in a new JIRA.  I didn't find any existing open JIRAs that look relevant.
> >
> > --Chris Nauroth
> >
> >
> >
> >
> > On 10/8/15, 2:06 PM, "Flavio Junqueira" <fpj@apache.org> wrote:
> >
> >> Has anyone tried to use the QOP (Quality of Protection) property for
> SASL
> >> when running ZooKeeper?
> >>
> >> -Flavio
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message