[ https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15491138#comment-15491138 ]
Rakesh R commented on ZOOKEEPER-1045: ------------------------------------- Thanks a lot [~phunt], [~shralex], [~hanm] for the discussions and suggestions. I've tried and initial attempt to do the authorization using the hostnames from {{zoo.cfg}}. Kindly review and let me know the feedback. To keep the implementation simple, this patch expects fqdn should be configured in the zoo.cfg. Later this could be enhanced by supporting ipaddress/hostname and could use the approach in the patch {{HOST_RESOLVER-ZK-1045.patch}} bq. 2. in 3.4, create a separate file for the auth list, and link it from zoo.cfg, similarly to the way I link the dynamic config file from zoo.cfg. This will make updating the file easier in 3.5 (see below). As an initial attempt I've used zoo.cfg based approach for the authorized hosts. I agree we could enhance this using separate file for the auth list or znode approach etc. How about push this patch first and later we could discuss and implement solution through another jira. bq. 3. In 3.5 support dynamic addition/removal of permissions (this may be very similar to dynamic reconfig): store the auth list in a znode, create a new command for addition/removal/query from the auth list. Whenever the auth list is updated, also update the on-disk auth file. I've plans to raise a separate jira for forward porting the solution through another jira. I will make a note of these points and will consider while implementing the same. > Support Quorum Peer mutual authentication via SASL > -------------------------------------------------- > > Key: ZOOKEEPER-1045 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 > Project: ZooKeeper > Issue Type: New Feature > Components: server > Reporter: Eugene Koontz > Assignee: Rakesh R > Priority: Critical > Fix For: 3.4.10, 3.5.3 > > Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, > 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch, > TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt, > ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045-00.patch, > ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf > > > ZOOKEEPER-938 addresses mutual authentication between clients and servers. > This bug, on the other hand, is for authentication among quorum peers. > Hopefully much of the work done on SASL integration with Zookeeper for > ZOOKEEPER-938 can be used as a foundation for this enhancement. -- This message was sent by Atlassian JIRA (v6.3.4#6332)