Ok, got it, but it sounds like we can just wrap and unwrap the bytes we are sending, no? Do you think that will end up being a lot of changes?
-Flavio > On 09 Oct 2015, at 15:38, Ivan Kelly <[email protected]> wrote: > > To protect the integrity of each packet, each packet needs to be wrapped by > SaslClient/SaslServer (see wrap/unwrap in > http://docs.oracle.com/javase/8/docs/api/javax/security/sasl/SaslClient.html). > Currently sasl is only used to initialize the connection, and then we send > over the raw socket. This changes the lifetime of the sasl components, as > it needs to be used with all communication. It's not like SSL, where we > negotiate SSL at the start and then the SSL engine provides a socket which > we use to send data. > > -Ivan > > On Fri, Oct 9, 2015 at 4:33 PM Flavio Junqueira <[email protected]> wrote: > >> I'm not sure based on what you say that it'd be invasive. Enabling >> different types of QOP seems to be relatively straightforward, unless I'm >> missing something here. Chris did a good job describing what needs to be >> done, and this far I have the same understanding of the changes. >> >> -Flavio >> >>> On 09 Oct 2015, at 15:30, Ivan Kelly <[email protected]> wrote: >>> >>> IMO, adding QOP to 3.4 would be a fairly large and invasive change, which >>> is something which shouldn't be done on the stable branch. >>> >>> -Ivan >>> >>> On Fri, Oct 9, 2015 at 4:02 PM Flavio Junqueira <[email protected]> wrote: >>> >>>> Not in the 3.4 branch, which is the latest stable branch at the moment. >>>> >>>> -Flavio >>>> >>>>> On 09 Oct 2015, at 15:00, Ivan Kelly <[email protected]> wrote: >>>>> >>>>> Is auth-int necessary if we have SSL on the client (as there is in >>>> trunk)? >>>>> My understanding is that all comms would have to be wrapped by sasl if >>>> you >>>>> have QOP enabled. >>>>> >>>>> -Ivan >>>>> >>>>> On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <[email protected]> >> wrote: >>>>> >>>>>> Hi Chris, >>>>>> >>>>>> Yeah, I was thinking along the same lines, so sounds like a plan. I >> know >>>>>> Raul is going to hate me for this, but I'd really like to have this in >>>>>> 3.4.7. It sounds like a simple enough change that we can have in >>>> shortly, >>>>>> does it sound right? >>>>>> >>>>>> Please go ahead with the jira if you have time, and if you don't have >>>> time >>>>>> to work on the patch, just assign it to me. >>>>>> >>>>>> -Flavio >>>>>> >>>>>> >>>>>>> On 08 Oct 2015, at 23:16, Chris Nauroth <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>> Hi Flavio, >>>>>>> >>>>>>> It appears that the current code doesn't give us any way to control >> the >>>>>>> QOP, so it must be always using the default QOP of "auth" >>>> (authentication >>>>>>> only). This is because the calls to Sasl#createSaslClient and >>>>>>> Sasl#createSaslServer pass a hard-coded null for the properties map. >>>>>>> >>>>>>> >>>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>>>> keeper/client/ZooKeeperSaslClient.java#L240 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>>>> keeper/client/ZooKeeperSaslClient.java#L288 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>>>> keeper/server/ZooKeeperSaslServer.java#L118 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo >>>>>>> keeper/server/ZooKeeperSaslServer.java#L144 >>>>>>> >>>>>>> >>>>>>> If we want to support setting QOP to "auth-int" (authentication + >>>>>>> integrity/man-in-the-middle tampering protection) or "auth-conf" >>>>>>> (authentication + integrity + confidentiality/encryption), then I >> think >>>>>>> we'll need to make code changes to read a new QOP configuration >>>> property, >>>>>>> put it into a Map using Sasl#QOP as the key, and then pass it along >> to >>>>>> the >>>>>>> Sasl#createSaslClient and Sasl#createSaslServer calls. >>>>>>> >>>>>>> Is this what you need? If so, then I'd be happy to write up the >>>> proposal >>>>>>> in a new JIRA. I didn't find any existing open JIRAs that look >>>> relevant. >>>>>>> >>>>>>> --Chris Nauroth >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <[email protected]> wrote: >>>>>>> >>>>>>>> Has anyone tried to use the QOP (Quality of Protection) property for >>>>>> SASL >>>>>>>> when running ZooKeeper? >>>>>>>> >>>>>>>> -Flavio >>>>>>> >>>>>> >>>>>> >>>> >>>> >> >>
