We implemented an external certificate-based Authorization system at Facebook that I began to open source before I left the company in Sept. I haven't made time to work to get this ready for a PR, but the work was pretty mature and battle tested within Facebook's certificate / trust-store infrastructure. The branch is here https://github.com/stickyhipp/zookeeper/tree/ZOOKEEPER-3918. And the Jira https://issues.apache.org/jira/browse/ZOOKEEPER-3918
On Fri, Nov 6, 2020 at 11:42 AM Anup Ghatage <ghat...@gmail.com> wrote: > Hello, > > Recently I worked on a feature in Apache Bookkeeper where we introduced > role-based authorization based on client certificates and I think the > Zookeeper community could use it too. > I wanted to socialize the idea with the community to gauge its > receptivity for this and contribute if you folks think it's worthwhile. > > The general idea is: > * Inject service name / role in client certificate while generating > certificates for given service. > * Add code to read user configured 'services / roles' from config file > while bringing up ZK server. > * When a client makes a connection, as a part of the TLS handshake, > read, verify and authorize client certificate and match it with what has > been configured for the server. > > More details about this proposal can be found in this document that I wrote > for the Bookkeeper community here > < > https://docs.google.com/document/d/15atmnl3pS4HrhQ6fV-gSY7faIVlmU91KoApBaXPjEfg/edit?usp=sharing > > > . > > Regards, > Anup > > -- > Anup Ghatage > www.ghatage.com >
