[
https://issues.apache.org/jira/browse/ZOOKEEPER-1634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892609#comment-16892609
]
Hudson commented on ZOOKEEPER-1634:
-----------------------------------
SUCCESS: Integrated in Jenkins build Zookeeper-trunk-single-thread #462 (See
[https://builds.apache.org/job/Zookeeper-trunk-single-thread/462/])
ZOOKEEPER-1634: hardening security by teaching server to enforce client
(eolivelli: rev 513df3da671c9937417bb7d92a55402520ba1292)
* (add)
zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
* (edit) zookeeper-client/zookeeper-client-c/tests/zkServer.sh
* (add)
zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
* (add)
zookeeper-client/zookeeper-client-c/tests/TestServerRequireClientSASLAuth.cc
* (edit) zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
* (edit) zookeeper-client/zookeeper-client-c/include/zookeeper.h
* (edit)
zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
* (edit) zookeeper-client/zookeeper-client-c/Makefile.am
* (add)
zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
* (edit)
zookeeper-server/src/main/java/org/apache/zookeeper/KeeperException.java
* (add)
zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslTestUtil.java
> A new feature proposal to ZooKeeper: authentication enforcement
> ---------------------------------------------------------------
>
> Key: ZOOKEEPER-1634
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1634
> Project: ZooKeeper
> Issue Type: New Feature
> Components: security, server
> Affects Versions: 3.4.5
> Reporter: Jaewoong Choi
> Assignee: Michael Han
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.6.0
>
> Attachments:
> zookeeper_3.4.5_patch_for_authentication_enforcement.patch
>
> Original Estimate: 72h
> Time Spent: 4.5h
> Remaining Estimate: 67.5h
>
> Up to the version of 3.4.5, ZooKeeperServer doesn't force the authentication
> if the client doesn't give any auth-info through ZooKeeper#addAuthInfo method
> invocation. Hence, every znode should have at least one ACL assigned
> otherwise any unauthenticated client can do anything on it.
> The current authentication/authorization mechanism of ZooKeeper described
> above has several points at issue:
> 1. At security standpoint, a maleficent client can access a znode which
> doesn't have any proper authorization access control set.
> 2. At runtime performance standpoint, authorization for every znode to every
> operation is unnecessarily but always evaluated against the client who
> bypassed the authentication phase.
> In other words, the current mechanism doesn't address a certain requirement
> at below:
> "We want to protect a ZK server by enforcing a simple authentication to every
> client no matter which znode it is trying to access. Every connection (or
> operation) from the client won't be established but rejected if it doesn't
> come with a valid authentication information. As we don't have any other
> distinction between znodes in term of authorization, we don't want any ACLs
> on any znode."
> To address the issues mentioned above, we propose a feature called
> "authentication enforcement" to the ZK source. The idea is roughly but
> clearly described in a form of patch in the attached file
> (zookeeper_3.4.5_patch_for_authentication_enforcement.patch): which makes
> ZooKeeperServer enforce the authentication with the given 2 configurations:
> authenticationEnforced (boolean) and enforcedAuthenticationScheme (string)
> against every operation coming through ZooKeeperServer#processPacket method
> except for OpCode.auth operation. The repository base of the patch is
> "http://svn.apache.org/repos/asf/zookeeper/tags/release-3.4.5/";
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
