zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Kelly <iv...@apache.org>
Subject Re: QOP SASL property
Date Fri, 09 Oct 2015 14:38:35 GMT
To protect the integrity of each packet, each packet needs to be wrapped by
SaslClient/SaslServer (see wrap/unwrap in
http://docs.oracle.com/javase/8/docs/api/javax/security/sasl/SaslClient.html).
Currently sasl is only used to initialize the connection, and then we send
over the raw socket. This changes the lifetime of the sasl components, as
it needs to be used with all communication. It's not like SSL, where we
negotiate SSL at the start and then the SSL engine provides a socket which
we use to send data.

-Ivan

On Fri, Oct 9, 2015 at 4:33 PM Flavio Junqueira <fpj@apache.org> wrote:

> I'm not sure based on what you say that it'd be invasive. Enabling
> different types of QOP seems to be relatively straightforward, unless I'm
> missing something here. Chris did a good job describing what needs to be
> done, and this far I have the same understanding of the changes.
>
> -Flavio
>
> > On 09 Oct 2015, at 15:30, Ivan Kelly <ivank@apache.org> wrote:
> >
> > IMO, adding QOP to 3.4 would be a fairly large and invasive change, which
> > is something which shouldn't be done on the stable branch.
> >
> > -Ivan
> >
> > On Fri, Oct 9, 2015 at 4:02 PM Flavio Junqueira <fpj@apache.org> wrote:
> >
> >> Not in the 3.4 branch, which is the latest stable branch at the moment.
> >>
> >> -Flavio
> >>
> >>> On 09 Oct 2015, at 15:00, Ivan Kelly <ivank@apache.org> wrote:
> >>>
> >>> Is auth-int necessary if we have SSL on the client (as there is in
> >> trunk)?
> >>> My understanding is that all comms would have to be wrapped by sasl if
> >> you
> >>> have QOP enabled.
> >>>
> >>> -Ivan
> >>>
> >>> On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <fpj@apache.org>
> wrote:
> >>>
> >>>> Hi Chris,
> >>>>
> >>>> Yeah, I was thinking along the same lines, so sounds like a plan. I
> know
> >>>> Raul is going to hate me for this, but I'd really like to have this
in
> >>>> 3.4.7. It sounds like a simple enough change that we can have in
> >> shortly,
> >>>> does it sound right?
> >>>>
> >>>> Please go ahead with the jira if you have time, and if you don't have
> >> time
> >>>> to work on the patch, just assign it to me.
> >>>>
> >>>> -Flavio
> >>>>
> >>>>
> >>>>> On 08 Oct 2015, at 23:16, Chris Nauroth <cnauroth@hortonworks.com>
> >>>> wrote:
> >>>>>
> >>>>> Hi Flavio,
> >>>>>
> >>>>> It appears that the current code doesn't give us any way to control
> the
> >>>>> QOP, so it must be always using the default QOP of "auth"
> >> (authentication
> >>>>> only).  This is because the calls to Sasl#createSaslClient and
> >>>>> Sasl#createSaslServer pass a hard-coded null for the properties
map.
> >>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>>>> keeper/client/ZooKeeperSaslClient.java#L240
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>>>> keeper/client/ZooKeeperSaslClient.java#L288
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>>>> keeper/server/ZooKeeperSaslServer.java#L118
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>>>> keeper/server/ZooKeeperSaslServer.java#L144
> >>>>>
> >>>>>
> >>>>> If we want to support setting QOP to "auth-int" (authentication
+
> >>>>> integrity/man-in-the-middle tampering protection) or "auth-conf"
> >>>>> (authentication + integrity + confidentiality/encryption), then
I
> think
> >>>>> we'll need to make code changes to read a new QOP configuration
> >> property,
> >>>>> put it into a Map using Sasl#QOP as the key, and then pass it along
> to
> >>>> the
> >>>>> Sasl#createSaslClient and Sasl#createSaslServer calls.
> >>>>>
> >>>>> Is this what you need?  If so, then I'd be happy to write up the
> >> proposal
> >>>>> in a new JIRA.  I didn't find any existing open JIRAs that look
> >> relevant.
> >>>>>
> >>>>> --Chris Nauroth
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <fpj@apache.org> wrote:
> >>>>>
> >>>>>> Has anyone tried to use the QOP (Quality of Protection) property
for
> >>>> SASL
> >>>>>> when running ZooKeeper?
> >>>>>>
> >>>>>> -Flavio
> >>>>>
> >>>>
> >>>>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message