[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15491138#comment-15491138
]
Rakesh R edited comment on ZOOKEEPER-1045 at 9/14/16 6:32 PM:
--------------------------------------------------------------
Thanks a lot [~phunt], [~shralex], [~hanm] for the discussions and suggestions.
I've tried an initial attempt to do the authorization using the hostnames from
{{zoo.cfg}}. Kindly review and let me know the feedback. To keep the
implementation simple, this patch expects fqdn should be configured in the
zoo.cfg. Later this could be enhanced by supporting ipaddress/hostname and
could use the approach in the patch {{HOST_RESOLVER-ZK-1045.patch}}
bq. 2. in 3.4, create a separate file for the auth list, and link it from
zoo.cfg, similarly to the way I link the dynamic config file from zoo.cfg.
This will make updating the file easier in 3.5 (see below).
As an initial attempt I've used zoo.cfg based approach for the authorized
hosts. I agree we could enhance this using separate file for the auth list or
znode approach etc. How about push this patch first and later we could discuss
and implement solution through another jira.
bq. 3. In 3.5 support dynamic addition/removal of permissions (this may be very
similar to dynamic reconfig): store the auth list in a znode,
create a new command for addition/removal/query from the auth list. Whenever
the auth list is updated, also update the on-disk auth file.
I've plans to raise a separate jira for forward porting the solution through
another jira. I will make a note of these points and will consider while
implementing the same.
was (Author: rakeshr):
Thanks a lot [~phunt], [~shralex], [~hanm] for the discussions and suggestions.
I've tried and initial attempt to do the authorization using the hostnames from
{{zoo.cfg}}. Kindly review and let me know the feedback. To keep the
implementation simple, this patch expects fqdn should be configured in the
zoo.cfg. Later this could be enhanced by supporting ipaddress/hostname and
could use the approach in the patch {{HOST_RESOLVER-ZK-1045.patch}}
bq. 2. in 3.4, create a separate file for the auth list, and link it from
zoo.cfg, similarly to the way I link the dynamic config file from zoo.cfg.
This will make updating the file easier in 3.5 (see below).
As an initial attempt I've used zoo.cfg based approach for the authorized
hosts. I agree we could enhance this using separate file for the auth list or
znode approach etc. How about push this patch first and later we could discuss
and implement solution through another jira.
bq. 3. In 3.5 support dynamic addition/removal of permissions (this may be very
similar to dynamic reconfig): store the auth list in a znode,
create a new command for addition/removal/query from the auth list. Whenever
the auth list is updated, also update the on-disk auth file.
I've plans to raise a separate jira for forward porting the solution through
another jira. I will make a note of these points and will consider while
implementing the same.
> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Priority: Critical
> Fix For: 3.4.10, 3.5.3
>
> Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch,
> 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch,
> TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt,
> ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045-00.patch,
> ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
