From user-return-11253-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Wed Feb 7 18:03:39 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id BCE7118065B for ; Wed, 7 Feb 2018 18:03:39 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id AB192160C5B; Wed, 7 Feb 2018 17:03:39 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C9301160C3C for ; Wed, 7 Feb 2018 18:03:38 +0100 (CET) Received: (qmail 80164 invoked by uid 500); 7 Feb 2018 17:03:37 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 80142 invoked by uid 99); 7 Feb 2018 17:03:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Feb 2018 17:03:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 54560180070 for ; Wed, 7 Feb 2018 17:03:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.095 X-Spam-Level: *** X-Spam-Status: No, score=3.095 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=1.187, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id pqpxgiqs1iWp for ; Wed, 7 Feb 2018 17:03:32 +0000 (UTC) Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-oln040092004097.outbound.protection.outlook.com [40.92.4.97]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id B66665F230 for ; Wed, 7 Feb 2018 17:03:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+FnBM27utVFc2tWtlg7de/ZfjMdgI2yGWbtfhMAG8lA=; b=muhRvo9uf15fOr03JucowqXQ+JO5WBzjcUI+mMqZc6MblUszSZzsF/J2WDMxx85LcMHYs1ek7c2DIza3MsJOHckeb9aziMjmB5nSkwWWdAkMmXKjK0WNsWvP9Qq2qWX8TFOPB2SHj3oPKvtclSX9kL59et0Tcu21dvRCymkkoM9U4d7qA408LAHUaFOy/Q9rVa7/56KX9SU+1BIu8Ppux3xBCrKFrHFSXAZ/HoSiJlZ+pVnFnxrQtzUS3iVre79Jc3ZEUvV0ywyhsJcbzazCbjImiJv7QR3eXDyF9cYBzJ6fW3HCa7QBVzpKHwTMd0jm3hdU7P4VGyI9EBdUtzfpGg== Received: from BL2NAM02FT024.eop-nam02.prod.protection.outlook.com (10.152.76.52) by BL2NAM02HT224.eop-nam02.prod.protection.outlook.com (10.152.77.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.444.13; Wed, 7 Feb 2018 17:03:24 +0000 Received: from BLUPR14MB0259.namprd14.prod.outlook.com (10.152.76.60) by BL2NAM02FT024.mail.protection.outlook.com (10.152.77.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.444.13 via Frontend Transport; Wed, 7 Feb 2018 17:03:24 +0000 Received: from BLUPR14MB0259.namprd14.prod.outlook.com ([10.163.212.21]) by BLUPR14MB0259.namprd14.prod.outlook.com ([10.163.212.21]) with mapi id 15.20.0464.016; Wed, 7 Feb 2018 17:03:24 +0000 From: Martin Gainty To: "user@zookeeper.apache.org" Subject: Re: SASL jaas.conf principal="*" problem Thread-Topic: SASL jaas.conf principal="*" problem Thread-Index: AQHTnrPaO9kHWqPLw0m5OGVLCg0ir6OZE4KAgAAYpbs= Date: Wed, 7 Feb 2018 17:03:24 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:594DD1265EF331B58093F67751E932ED518496C47F4B9DE9901D436CEF13E160;UpperCasedChecksum:5DE4619E9E066968F2D3FBE7F5F6B72EA4B3B59EAB944E118D4A774292E45BA8;SizeAsReceived:7219;Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [Z8SZp6Ih7xrTo4uNwYvkMoRcNmtFXAxgVxbadgONJYD9OzsW1faIqR2WvVHsgTeC] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BL2NAM02HT224;6:snvMjpCRi6fh2wgeleNdWgba7ZvyfGPFZcBmfN1cSTaM+kWjc9H+4z/hYVKuJjQi/k1n970C529ra/vfYFhEnoJV8skTT0yHXb/8oQaG2cjTxYQxAvuWuF+GgKKVhB+HEv1Y7Ygl71oPgS28adp5Vik/VAYqlGd1ZLO15gP1ubp0L2z3rHougDe7uSeEfZpsMNdcKJKmYCkxeaOKRhpWn5sARXgh/GT/l0aC8Izf+XViWOglB7N7GGG5GSGtgeAzDUxE9OMNqExlcK3estQ4ZnNhaCHQ5lY2I408FFGeINMH0pBclhH3s0DKQfB7B+x77ZjQ08Aotd9IdsIQYfc2xJHntMp1K6en39IvFEtS9qw=;5:zgIM0eV3CpaKQuksoydfMHnPQV67M47QIoE8rAkU62IBvqToFUSKOHI/CeDflvM2n8Dp61IeriGnv/nTiHdmYaDxVlm6pHXnmAAvZ/bP7OP16Pry13m2GTVFtI4/2SD2joDo+aTRN1xl0obhRJqvBsB40ULTeXwZu1c0dImCMgM=;24:U1CaegmTDlJWweuSMNYVOmm9Qo7RCK93yJZepAjc4W1ODggW/AL4nuUWfzasq8AEXPCXe5TWve2vSvvXgNUmaFyyIsch7dodeyfF7k98bSY=;7:3IoSA7HDifk5W52+rY4gJ2K5OhXz1tsCLL2Jccd5IHJMfyQLlJDlm2iigObRqaUIhI17FfDhyyHYnGTIQfw16nlbxArMPjn81+cnfQPhXJe4+osgtcBDzfdXA+I6QoM/3RwynoVoCUZveUAgg6L9jKaFOeU0Vuz6p0OdIsgylVfUYAWzpGIBdd06N32/TEvVEbJbXleFx6poJjnd96Ni2AT9A0sj1OzQKx7viw67aLdTaYatS3W00YQ+4S5gRtX9 x-incomingheadercount: 46 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045);SRVR:BL2NAM02HT224; x-ms-traffictypediagnostic: BL2NAM02HT224: x-ms-office365-filtering-correlation-id: 80137c8a-a957-421b-1ab4-08d56e4cb323 x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(444000031);SRVR:BL2NAM02HT224;BCL:0;PCL:0;RULEID:;SRVR:BL2NAM02HT224; x-forefront-prvs: 0576145E86 x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:BL2NAM02HT224;H:BLUPR14MB0259.namprd14.prod.outlook.com;FPR:;SPF:None;LANG:; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BLUPR14MB02598BEBF8BB55F544BC31D8AEFC0BLUPR14MB0259namp_" MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-Network-Message-Id: 80137c8a-a957-421b-1ab4-08d56e4cb323 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2018 17:03:24.4004 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2NAM02HT224 --_000_BLUPR14MB02598BEBF8BB55F544BC31D8AEFC0BLUPR14MB0259namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MG>i agree.. DIGEST-MD5 (and not kerberos) seems to be default authenticati= on for zookeeper SaslServer saslServer =3D Sasl.createSaslServer("DIGEST-MD5","zookeeper","z= k-sasl-md5",null, login.callbackHandler) MG>to ask a dumb question..where is DIGEST-MD5.conf located in zookeeper bi= nary distro? MG>or is it sufficient to supply DIGEST-MD5.conf parameters in jaas.conf? ________________________________ From: Andor Molnar Sent: Wednesday, February 7, 2018 10:29 AM To: user@zookeeper.apache.org Subject: Re: SASL jaas.conf principal=3D"*" problem Hi Botond, I believe the guy who originally implemented this (Rakesh) can give some color to your question, but until that you could dig the original Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 [ZOOKEEPER-1045] Support Quorum Peer mutual authentication ... issues.apache.org ZOOKEEPER-938 addresses mutual authentication between clients and servers. = This bug, on the other hand, is for authentication among quorum peers. for more information. Other than that, if you believe that you can either fix the issue or implement it in a better way, your contribution will be highly appreciated and it would be very kind of you to open new Jira and new pull request on GitHub. We can discuss further details there. Thanks, Andor On Mon, Feb 5, 2018 at 7:21 PM, Botond Hejj wrote: > Hi, > > Java 8 introduced the possibility to use * for the principal in treadmill > which is great and would allow us to run treadmill behind multiple > interfaces and SASL would pick the right keytab. > > Unfortunately this doesn't work in ZooKeeper I have dived in the code a b= it > and what I have found is that ZooKeeper is using DIGEST-MD5 in that case > even though I don't use the DigestLoginModule. The reason for that is lin= e > 251 here: > https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/ [https://avatars3.githubusercontent.com/u/47359?s=3D400&v=3D4] apache/zookeeper github.com zookeeper - Mirror of Apache Hadoop ZooKeeper > zookeeper/util/SecurityUtils.java > > It falls back to Digest if the principal list is empty which is the case > when * is specified. > Why is that and why not the login type is checked? > Anyway this can only be fixed in a nonbackward compatible way or with a > flag in a backward compatible way. > > I could prepare a patch. > I would just like to understand the reason behind the implementation. Is > there any particular reason why this fallback is there? What would the > implication if I remove that? If I understand the reason maybe I could > patch it without breaking backward compatibility. > > There is also a comment: TODO: use 'authMech=3D' value in zoo.cfg. > > Is there any jira or patch for that? > > Regards, > Botond Hejj > Morgan Stanley | Technology > Lechner Odon fasor 8 | Floor 07 > Budapest, 1095 > Phone: +36 1 881-3962 > Botond.Hejj@MorganStanley.com > --_000_BLUPR14MB02598BEBF8BB55F544BC31D8AEFC0BLUPR14MB0259namp_--