[jira] [Commented] (ZOOKEEPER-2462) force authentication/authorization

Tue, 08 Nov 2016 10:01:28 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15648280#comment-15648280
 ] 

Botond Hejj commented on ZOOKEEPER-2462:
----------------------------------------

I haven't noticed that. I could have updated that.
There is certainly an overlap. There are some differences though:
- There is a disableWorldAcl option here
- There is an option to enforce a specific Auth scheme in 1634
- The code where enforcement done is different so one need to be picked. 
- 1634 doesn't do anything if actually the check fails. It looks like it was 
never finished
- 1634 is lacking cfg option and unit tests

If one is merged than I don't think the other could be closed. It would be 
great create a union.

> force authentication/authorization
> ----------------------------------
>
>                 Key: ZOOKEEPER-2462
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Botond Hejj
>            Priority: Minor
>         Attachments: ZOOKEEPER-2462.patch, ZOOKEEPER-2462.patch
>
>
> This change introduces two new config options to force authorization and 
> authentication:
> 1. disableWorldACL
> The purpose of this option is disable the builtin mechanism which authorizes 
> everyone.
> If it is turned on than the world/anyone usage is ignored. ZooKeeper will not 
> check operations based on world/anyone.
> This option is useful to force some kind of authorization mechanism. This 
> restriction is useful in a strictly audited environment.
> 2. forceAuthentication
> If this option is turned on than ZooKeeper won't authorize any operation if 
> the user has not authenticated either with SASL or with addAuth.
> There is way to enforce SASL authentication but currently there is no way to 
> enforce authentication using the plugin mechanism. Enforcing authentication 
> for that is more tricky since authentication can come any time later. This 
> option doesn't drop the connection if there was no authentication. It is only 
> throwing NoAuth for any operation until the Auth packet arrives.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to