[jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL

Mon, 18 Jul 2016 14:49:59 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15383145#comment-15383145
 ] 

Patrick Hunt commented on ZOOKEEPER-1045:
-----------------------------------------

bq. the current patch is supporting only single (shared) Kerberos principal

I don't think we want to make this simplification. I asked around for the other 
components (e.g. hdfs/hbase) and they assign a single cred to each of the 
services - user/host@realm. Their authz check will verify the user and realm, 
but of course the hosts differ across servers/processes. In asking why they do 
this rather than the shared approach they said it was due to ease of management 
- in our case the servers likely already have user/host@realm, and two if a 
particular host/credential is compromised it's much easier to change. I believe 
we should do similar, if not for security then for consistency.

bq. Exposed fleTimeTaken

I this this is a great idea, however is it possible to move to another jira? It 
would be easy to fasttrack that into releases. My concern is that this patch is 
already pretty big/complicated and I'd really like to focus on the auth pieces. 
Again, great idea to add this to the system though.

bq. new tests

It looks like we don't have any tests to verify the authz aspect of the change? 
The two new tests, their comments seem to say they same thing and afaict 
doesn't verify authz functionality?



> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.9, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip, 
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045TestValidationDesign.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to