[
https://issues.apache.org/jira/browse/ZOOKEEPER-2454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15354984#comment-15354984
]
Arshad Mohammad commented on ZOOKEEPER-2454:
--------------------------------------------
Before proceeding ahead, first we should clearly define what is user in
zookeeper through API.
If this solution is only for kerberos authentication then not required
otherwise it is must.
org.apache.zookeeper.data.Id class is used to store scheme and id.
{code}
public Id(
String scheme,
String id)
{code}
id field holds only user in most cases but in some cases it holds user as well
as password
By default there are only four authentication provider
DigestAuthenticationProvider
IPAuthenticationProvider
SASLAuthenticationProvider
X509AuthenticationProvider
In code we can check if scheme is digest then {{id.split(":")\[0\]}} is user
otherwise id is user. This will work only if we are limited to above four
authentication provider
But Custom authentication provider are very important and are very commonly
used. How the zookeeper code will know what is the user, is it id or
{{id.split(":")\[0\]}} or anything else ?
So there is need to define to add new API which AuthenticationProvider
providers implement to define what is user.
For example DigestAuthenticationProvider will implement as
{code}
@Override
public String getUserName(String id) {
return id.split(":")[0];
}
{code}
SASLAuthenticationProvider will implement as
{code}
@Override
public String getUserName(String id) {
return id;
}
{code}
CustomAuthenticationProvider will implement as
{code}
@Override
public String getUserName(String id) {
// Some logic and then return user
return user;
}
{code}
This is how zookeeper code will get the user for any authentication scheme
{code}
Id id=Get id from org.apache.zookeeper.server.Request.authInfo
AuthenticationProvider authProvider =
ProviderRegistry.getProvider(id.getScheme());
String user=authProvider.getUserName(id.getId());
{code}
> Limit Connection Count based on User
> ------------------------------------
>
> Key: ZOOKEEPER-2454
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2454
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Botond Hejj
> Assignee: Botond Hejj
> Priority: Minor
> Attachments: ZOOKEEPER-2454-br-3-4.patch, ZOOKEEPER-2454.patch
>
>
> ZooKeeper currently can limit connection count from clients coming from the
> same ip. It is a great feature to malfunctioning clients DOS-ing the server
> with many requests.
> I propose additional safegurads for ZooKeeper.
> It would be great if optionally connection count could be limited for a
> specific user or a specific user on an ip.
> This is great in cases where ZooKeeper ensemble is shared by multiple users
> and these users share the same client ips. This can be common in container
> based cloud deployment where external ip of multiple clients can be the same.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
