[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15096681#comment-15096681
]
Chris Nauroth commented on ZOOKEEPER-1045:
------------------------------------------
Regarding the QOP settings, use of auth-int (integrity checking to guard
against man-in-the-middle tampering) or auth-conf (encryption to prevent
man-in-the-middle reading data) requires wrapping and unwrapping the data
exchanged between client and server so that the SASL code is given an
opportunity to inspect the data, either to validate it hasn't been tampered or
encrypt/decrypt. This is accomplished by passing the stream data through a
couple of special methods in the SASL API.
http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslClient.html#unwrap(byte[],%20int,%20int)
http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslClient.html#wrap(byte[],%20int,%20int)
http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslServer.html#unwrap(byte[],%20int,%20int)
http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslServer.html#wrap(byte[],%20int,%20int)
This means that supporting auth-int or auth-conf would require more coding work
for us compared to just plain auth. I haven't looked at this specific patch to
see if it tried to do this. The last time I considered supporting the full
range of QOP settings, it looked like it was going to be a very intrusive
change to the existing ZooKeeper codebase. I was looking at the client-server
connection though, not the quorum peer connections.
In Hadoop, we implement this with special subclasses of {{InputStream}} and
{{OutputStream}} that do the SASL {{wrap}}/{{unwrap}} calls internally and then
delegate to another underlying stream. This has proven to be a pretty elegant
design, because it encapsulates the SASL wrapping and unwrapping from the rest
of the Hadoop codebase. The rest of the code doesn't need to worry about
whether auth or auth-int or auth-conf is in effect. It just reads from/writes
to streams.
> Quorum Peer mutual authentication
> ---------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Attachments: ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade
> Design Proposal.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
