[jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL

Wed, 29 Jun 2016 14:19:24 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15355797#comment-15355797
 ] 

Patrick Hunt commented on ZOOKEEPER-1045:
-----------------------------------------

I was thinking through the QuorumServer/QuorumLearner question I asked a bit 
more today, reviewing more of the patch from this perspective, and I realized 
that while we are doing authentication, we don't seem to be doing 
authorization. I don't see it mentioned in this JIRA, but I believe that we 
need to address both authn and authz with this patch. I suspect the original 
intent was to do both, even though the subject mentions authn only. The reason 
I feel so is that if we don't do authz then anyone with valid kerberos 
credentials, regardless the principal, can authenticate and operate as a member 
of the quorum. Do I have that right? From what I can tell in the code, with the 
patch applied, we are just authenticating, and not validating that the 
principal has rights to operate as a quorum member.

Here's this code in SaslServerCallbackHandler for example:

{noformat}
    private void handleAuthorizeCallback(AuthorizeCallback ac) {
        String authenticationID = ac.getAuthenticationID();
        String authorizationID = ac.getAuthorizationID();

        LOG.info("Successfully authenticated client: authenticationID=" + 
authenticationID
                + ";  authorizationID=" + authorizationID + ".");
        ac.setAuthorized(true);
{noformat}

Am I reading this right or are we indeed doing authz somewhere?

> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.9, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip, 
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to