mannoopj opened a new pull request, #2089: URL: https://github.com/apache/zookeeper/pull/2089
[ZOOKEEPER-4753](https://issues.apache.org/jira/browse/ZOOKEEPER-4753): [zookeeper-server](https://issues.apache.org/jira/browse/ZOOKEEPER-server): Improvement: Explicit handling of D… …IGEST-MD5 vs GSSAPI in quorum auth Before this, the SASL-based quorum authorizer did not explicitly distinguish between the DIGEST-MD5 and GSSAPI mechanisms: it was simply relying on NameCallback and PasswordCallback for authentication with the former and examining Kerberos principals in AuthorizeCallback for the latter. It turns out that some SASL/DIGEST-MD5 configurations cause authentication and authorization IDs not to match the expected format, and the DIGEST-MD5-based portions of the quorum test suite to fail with obscure errors. (They can be traced to failures to join the quorum, but only by looking into detailed logs.) This patch uses the login module name to determine whether DIGEST-MD5 or GSSAPI is used, and relaxes the authentication ID check for the former. As a cleanup, it keeps the password-based credential map empty when Kerberos principals are expected. It finally adapts a test, and adds a new one, ensuring "weirdly-shaped" credentials only cause authentication failures in the GSSAPI case. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
