[jira] [Commented] (ZOOKEEPER-2462) force authentication/authorization

Wed, 20 Jun 2018 07:02:31 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16518168#comment-16518168
 ] 

Andor Molnar commented on ZOOKEEPER-2462:
-----------------------------------------

Hi [~botond.hejj]

Would you like to carry out this patch and potentially create a pull request on 
github?

I've tested it and found nice and simple solution to enforce authentication. 
However there're other Jiras linked to this which has fundamentally different 
approaches by disconnecting the client immediately if it doesn't authenticate 
itself. Though as far as I could see, those patches aren't ready yet and needs 
somebody to continue. They sound like significantly stronger defense of the 
system, what do you think?

We cannot commit orthogonal patches for a problem, so we have to make a 
decision which way to go.

How would you differentiate your patch from the others?  

> force authentication/authorization
> ----------------------------------
>
>                 Key: ZOOKEEPER-2462
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Botond Hejj
>            Priority: Minor
>         Attachments: ZOOKEEPER-2462.patch, ZOOKEEPER-2462.patch
>
>
> This change introduces two new config options to force authorization and 
> authentication:
> 1. disableWorldACL
> The purpose of this option is disable the builtin mechanism which authorizes 
> everyone.
> If it is turned on than the world/anyone usage is ignored. ZooKeeper will not 
> check operations based on world/anyone.
> This option is useful to force some kind of authorization mechanism. This 
> restriction is useful in a strictly audited environment.
> 2. forceAuthentication
> If this option is turned on than ZooKeeper won't authorize any operation if 
> the user has not authenticated either with SASL or with addAuth.
> There is way to enforce SASL authentication but currently there is no way to 
> enforce authentication using the plugin mechanism. Enforcing authentication 
> for that is more tricky since authentication can come any time later. This 
> option doesn't drop the connection if there was no authentication. It is only 
> throwing NoAuth for any operation until the Auth packet arrives.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to