[jira] [Commented] (ZOOKEEPER-2462) force authentication/authorization

Thu, 28 Jun 2018 04:29:12 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16526225#comment-16526225
 ] 

Botond Hejj commented on ZOOKEEPER-2462:
----------------------------------------

Hi [~andorm],

I have previously commented on 1634. I see that patch is not updated since that 
time and still unfinished.

I see also now 2526. I don't see a patch there. My patch would solve that Jira 
as well I believe. If forceAuthentication is turned clients which will fail 
SASL auth. Similarly to the proposed allowAnonLogin=False.

The only feature I see missing is more related to 1634. In my patch it is not 
possible to filter the authentication enforcement to a specific scheme. If we 
would like to add that as well than instead of boolean we would need an option 
with the list of enforced schemes. Enforcing only a single scheme doesn't work 
for me.

 

 

> force authentication/authorization
> ----------------------------------
>
>                 Key: ZOOKEEPER-2462
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Botond Hejj
>            Priority: Minor
>         Attachments: ZOOKEEPER-2462.patch, ZOOKEEPER-2462.patch
>
>
> This change introduces two new config options to force authorization and 
> authentication:
> 1. disableWorldACL
> The purpose of this option is disable the builtin mechanism which authorizes 
> everyone.
> If it is turned on than the world/anyone usage is ignored. ZooKeeper will not 
> check operations based on world/anyone.
> This option is useful to force some kind of authorization mechanism. This 
> restriction is useful in a strictly audited environment.
> 2. forceAuthentication
> If this option is turned on than ZooKeeper won't authorize any operation if 
> the user has not authenticated either with SASL or with addAuth.
> There is way to enforce SASL authentication but currently there is no way to 
> enforce authentication using the plugin mechanism. Enforcing authentication 
> for that is more tricky since authentication can come any time later. This 
> option doesn't drop the connection if there was no authentication. It is only 
> throwing NoAuth for any operation until the Auth packet arrives.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to