IMO, adding QOP to 3.4 would be a fairly large and invasive change, which is something which shouldn't be done on the stable branch.
-Ivan On Fri, Oct 9, 2015 at 4:02 PM Flavio Junqueira <[email protected]> wrote: > Not in the 3.4 branch, which is the latest stable branch at the moment. > > -Flavio > > > On 09 Oct 2015, at 15:00, Ivan Kelly <[email protected]> wrote: > > > > Is auth-int necessary if we have SSL on the client (as there is in > trunk)? > > My understanding is that all comms would have to be wrapped by sasl if > you > > have QOP enabled. > > > > -Ivan > > > > On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <[email protected]> wrote: > > > >> Hi Chris, > >> > >> Yeah, I was thinking along the same lines, so sounds like a plan. I know > >> Raul is going to hate me for this, but I'd really like to have this in > >> 3.4.7. It sounds like a simple enough change that we can have in > shortly, > >> does it sound right? > >> > >> Please go ahead with the jira if you have time, and if you don't have > time > >> to work on the patch, just assign it to me. > >> > >> -Flavio > >> > >> > >>> On 08 Oct 2015, at 23:16, Chris Nauroth <[email protected]> > >> wrote: > >>> > >>> Hi Flavio, > >>> > >>> It appears that the current code doesn't give us any way to control the > >>> QOP, so it must be always using the default QOP of "auth" > (authentication > >>> only). This is because the calls to Sasl#createSaslClient and > >>> Sasl#createSaslServer pass a hard-coded null for the properties map. > >>> > >>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>> keeper/client/ZooKeeperSaslClient.java#L240 > >>> > >>> > >>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>> keeper/client/ZooKeeperSaslClient.java#L288 > >>> > >>> > >>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>> keeper/server/ZooKeeperSaslServer.java#L118 > >>> > >>> > >>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>> keeper/server/ZooKeeperSaslServer.java#L144 > >>> > >>> > >>> If we want to support setting QOP to "auth-int" (authentication + > >>> integrity/man-in-the-middle tampering protection) or "auth-conf" > >>> (authentication + integrity + confidentiality/encryption), then I think > >>> we'll need to make code changes to read a new QOP configuration > property, > >>> put it into a Map using Sasl#QOP as the key, and then pass it along to > >> the > >>> Sasl#createSaslClient and Sasl#createSaslServer calls. > >>> > >>> Is this what you need? If so, then I'd be happy to write up the > proposal > >>> in a new JIRA. I didn't find any existing open JIRAs that look > relevant. > >>> > >>> --Chris Nauroth > >>> > >>> > >>> > >>> > >>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <[email protected]> wrote: > >>> > >>>> Has anyone tried to use the QOP (Quality of Protection) property for > >> SASL > >>>> when running ZooKeeper? > >>>> > >>>> -Flavio > >>> > >> > >> > >
