[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15400138#comment-15400138
]
Mike Yoder commented on ZOOKEEPER-1045:
---------------------------------------
I had a look at Hadoop's SaslRpcClient.getServerPrincipal() - one could easily
make the argument that we ought to stick to a similar implementation. It *does*
look like it considers the host in the comparison. (I'm assuming that this is
the correct hadoop function to look at...) It can also match a principal
against a regex pattern for genericness.
But if ZK has a history of not ensuring that hostnames in zoo.cfg don't match
the kerberos credential, then we probably can't realistically use it. And if
there is a separate history of it using kerberos principals without a host,
then we have to consider that as well.
So if we ignore the host part of the principal, that opens us up to an attack
where any zookeeper keytab can be used on any host, so if one is compromised it
can be reused elsewhere. Not great. But you do at least have to steal one
keytab.
How about we add an optional "require host in kerberos principal" flag, default
it to false. Then when comparing principals, we split out user / host @
domain, compare the user and domain, and then depending on the value of the
flag compare the host. This gives us comptibility and then optional security.
And we can move towards flipping that flag to true later.
> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Priority: Critical
> Fix For: 3.4.9, 3.5.3
>
> Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch,
> 1045_failing_phunt.tar.gz,
> TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt,
> ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045-00.patch,
> ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045TestValidationDesign.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
