[jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL

[Michael Han (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15354599#comment-15354599
 ] 

Michael Han commented on ZOOKEEPER-1045:
----------------------------------------

Hey [~rakeshr], I am thinking upgrade / compatibility test scenarios and IIUC, 
the existing SASL based ZK client to ZK servers authentication and the new SASL 
based ZK server to server authentication is orthogonal in terms of JAAS 
configuration settings: e.g. there are existing (default) login context like 
'Client' and 'Server' for ZK client to server auth, and the new (default) login 
context like 'QuorumLearner/Server' is for server to server auth. So, a client 
which already uses the SASL client-to-server auth who upgrades from old 3.4 
would not have to change any existing configurations settings for 
client-to-server auth continues working. Later when client wants to enable 
server SASL based auth they just need to add Quorum* login contexts to their 
JAAS config file without impacting any of existing functionality, correct? 

Overall I am trying to identify if there is a case that this patch might 
include any backward compatibility break changes even in cases the feature is 
included but not enabled. From what I read the code so far we seem to be fully 
backward compatible in that after applying the patch what worked will continue 
working without any config changes (assume the SASL server-server feature is 
off by default), so we are good. Can you please double check and confirm this?

> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.9, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip, 
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)