[
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andor Molnar resolved ZOOKEEPER-4753.
-------------------------------------
Resolution: Fixed
> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
> --------------------------------------------------------
>
> Key: ZOOKEEPER-4753
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.9.0
> Reporter: Damien Diederen
> Assignee: Damien Diederen
> Priority: Major
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}}
> and {{PasswordCallback}} for authentication with the former and examining
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication
> and authorization IDs not to match the expected format, and the
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure
> errors. (They can be traced to failures to join the quorum, but only by
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
> used, and relax the authentication ID check for the former. As a cleanup, we
> can keep the password-based credential map empty when Kerberos principals are
> expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
> only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
