zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Botond Hejj <Botond.H...@MorganStanley.com>
Subject SASL jaas.conf principal="*" problem
Date Mon, 05 Feb 2018 18:21:56 GMT
Hi,

Java 8 introduced the possibility to use * for the principal in treadmill
which is great and would allow us to run treadmill behind multiple
interfaces and SASL would pick the right keytab.

Unfortunately this doesn't work in ZooKeeper I have dived in the code a bit
and what I have found is that ZooKeeper is using DIGEST-MD5 in that case
even though I don't use the DigestLoginModule. The reason for that is line
251 here:
https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/util/SecurityUtils.java

It falls back to Digest if the principal list is empty which is the case
when * is specified.
Why is that and why not the login type is checked?
Anyway this can only be fixed in a nonbackward compatible way or with a
flag in a backward compatible way.

I could prepare a patch.
I would just like to understand the reason behind the implementation. Is
there any particular reason why this fallback is there? What would the
implication if I remove that? If I understand the reason maybe I could
patch it without breaking backward compatibility.

There is also a comment: TODO: use 'authMech=' value in zoo.cfg.

Is there any jira or patch for that?

Regards,
Botond Hejj
Morgan Stanley | Technology
Lechner Odon fasor 8 | Floor 07
Budapest, 1095
Phone: +36 1 881-3962
Botond.Hejj@MorganStanley.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message