[
https://issues.apache.org/jira/browse/ZOOKEEPER-2462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16538648#comment-16538648
]
Andor Molnar commented on ZOOKEEPER-2462:
-----------------------------------------
[~botond.hejj]
It seems to me that your comments on ZOOKEEPER-1634 are slightly outdated. Now
I'm looking at [~hanm]'s pull request and comparing with your patch
[https://github.com/apache/zookeeper/pull/118]
# There's no disableWorldAcl options, but in that case I don't it's needed,
# I can't see that option. I only see one new bool option:
sessionRequireClientSASLAuth to enabled/disable the feature
# Correct.
# I think in the pull request it's already finished
# -""-
The only main difference I can see is that in the other approach the client
won't be able to establish a new session if the first packet after the
connection is not an SASL auth packet with valid authentication. Connection
will be immediately closed, therefore server resources can't be exhausted.
Sounds like a more secure approach to me with the trade-off by removing the
'addAuth' client command feature, but I think it's feasible.
My suggestion is that we could pick where [~hanm] left off the pull request and
submit changes until we get an agreement from the community.
Do you think it would work for you [~botond.hejj] ?
Is there anything which is not included in the pull request and we should add
to meet your requirements?
> force authentication/authorization
> ----------------------------------
>
> Key: ZOOKEEPER-2462
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Botond Hejj
> Priority: Minor
> Attachments: ZOOKEEPER-2462.patch, ZOOKEEPER-2462.patch
>
>
> This change introduces two new config options to force authorization and
> authentication:
> 1. disableWorldACL
> The purpose of this option is disable the builtin mechanism which authorizes
> everyone.
> If it is turned on than the world/anyone usage is ignored. ZooKeeper will not
> check operations based on world/anyone.
> This option is useful to force some kind of authorization mechanism. This
> restriction is useful in a strictly audited environment.
> 2. forceAuthentication
> If this option is turned on than ZooKeeper won't authorize any operation if
> the user has not authenticated either with SASL or with addAuth.
> There is way to enforce SASL authentication but currently there is no way to
> enforce authentication using the plugin mechanism. Enforcing authentication
> for that is more tricky since authentication can come any time later. This
> option doesn't drop the connection if there was no authentication. It is only
> throwing NoAuth for any operation until the Auth packet arrives.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
