Damien Diederen created ZOOKEEPER-4753:
------------------------------------------
Summary: Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Key: ZOOKEEPER-4753
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
Project: ZooKeeper
Issue Type: Improvement
Components: server
Affects Versions: 3.9.0
Reporter: Damien Diederen
Assignee: Damien Diederen
The SASL-based quorum authorizer does not explicitly distinguish between the
DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} and
{{PasswordCallback}} for authentication with the former and examining Kerberos
principals in {{AuthorizeCallback}} for the latter.
It turns out that some SASL/DIGEST-MD5 configurations cause authentication and
authorization IDs not to match the expected format, and the DIGEST-MD5-based
portions of the quorum test suite to fail with obscure errors. (They can be
traced to failures to join the quorum, but only by looking into detailed logs.)
We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is
used, and relax the authentication ID check for the former. As a cleanup, we
can keep the password-based credential map empty when Kerberos principals are
expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials
only cause authentication failures in the GSSAPI case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
