[
https://issues.apache.org/jira/browse/ZOOKEEPER-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16254680#comment-16254680
]
ASF GitHub Bot commented on ZOOKEEPER-2937:
-------------------------------------------
GitHub user sriramch opened a pull request:
https://github.com/apache/zookeeper/pull/418
[zookeeper-2937] disallow client requests without completing
authentication...
- https://issues.apache.org/jira/browse/ZOOKEEPER-2937
- do not process data packets, if authentication via providers that
*requires* authentication aren't completed
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/sriramch/zookeeper master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/418.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #418
----
commit ed6986b83eea71e280976df78b13c44088915efa
Author: Sriram Chandramouli <[email protected]>
Date: 2017-11-15T21:25:29Z
[zookeeper-2937]
- https://issues.apache.org/jira/browse/ZOOKEEPER-2937
- do not process data packets, if authentication via providers that
*requires* authentication aren't completed
commit 2e2e4b5b4a57212da70e004c402711412b1d6f07
Author: Sriram Chandramouli <[email protected]>
Date: 2017-11-16T02:54:29Z
- do the auth checks only once after connection establishment before
processing data packets
commit 74271caa44484b06b435e39cd5e22362bb2c73cf
Author: Sriram Chandramouli <[email protected]>
Date: 2017-11-16T02:57:42Z
Merge branch 'master' of https://github.com/apache/zookeeper
----
> zookeeper issues with handling authentication...
> ------------------------------------------------
>
> Key: ZOOKEEPER-2937
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2937
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.4.6
> Environment: Linux <node_name>
> 2.6.32-696.6.3.el6.YAHOO.20170712.4.x86_64 #1 SMP Wed Jul 12 01:40:52 UTC
> 2017 x86_64
> -bash-4.1$ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.8 (Santiago)
> java version "1.8.0_25"
> Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
> Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
> /home/y/libexec/ant/bin/ant -version
> Apache Ant(TM) version 1.9.0 compiled on March 5 2013
> Reporter: Sriram Chandramouli
> Fix For: 3.4.6
>
>
> we have created an authentication provider plugin that can authenticate
> clients based on the cert that client is presenting. our zookeeper instance
> has been configured (and started) to authenticate and allow only certain
> appid's. this works as intended when clients (ours are c-clients) send an
> auth message via yca_add_auth containing the cert *and* the authentication
> provider is configured to allow it.
> however, if the clients do *not* present one (i.e. do not send an auth
> packet), and if the authentication provider allows only certain appid's, this
> connection still goes through - i.e. clients are able to connect,
> create/watch nodes etc.! this is unexpected and does *not* allow us to
> prevent certain clients from connecting to a zookeeper quorum (as they can
> still connect without present any credentials).
> it looks like zookeeper will only invoke the auth providers if it receives an
> auth packet from the client.
> none of this block -
> https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1060
> ever gets executed, and it directly jumps to this
> https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1108
> we have a usecase where we only want clients that can present valid
> credentials to connect to zookeeper (zk).
> i was hoping to expose an interface where different auth providers (when they
> are loaded) would let zk know if they need to authenticate a client before
> processing other data packets. the default ones (kerberos/ip/digest etc.)
> would say no to maintain compatibility. our auth provider can be configured
> to say yes/no (default no) depending on use-case. zk before processing a data
> packet can look at the auth info in the server connection to see the schemes
> that requires authentication and have successfully authenticated. connection
> will succeed if all schemes that require authentication have successfully
> authenticated; else, we disable receive.
> can someone please look into this issue and evaluate the proposal? i can work
> on creating a pr for this.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
