[jira] [Commented] (ZOOKEEPER-3476) Identify client request for quota control

Tue, 30 Jul 2019 13:47:38 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16896508#comment-16896508
 ] 

Mocheng Guo commented on ZOOKEEPER-3476:
----------------------------------------

The proposed authentication provider will not validate client id from client, 
instead it will just accept it and save into connection so that all requests 
from that connection will be associated with its client id. This proposal, just 
like your patch, does not prevent malicious user impersonating a valid client 
either, and we have to assume all clients are honest about client id. We have 
looked at client/server protocol and Ben Reed suggested using auth protocol. 
Could you explain how your design works to enable client sending id to server?

Another option, supposing TLS authentication is enabled and client sending ssl 
certificate to server, is to take client identity from client ssl certificate 
as client id. Since ssl certificate is signed by authority, this prevents 
impersonation attack. We could have system configs to control which id/identity 
to use for quota control.

> Identify client request for quota control
> -----------------------------------------
>
>                 Key: ZOOKEEPER-3476
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3476
>             Project: ZooKeeper
>          Issue Type: Sub-task
>          Components: server
>            Reporter: Mocheng Guo
>            Priority: Major
>
> In order to support quota, we need a way to identify clients. If security is 
> enabled, we might be able to use secured identity inside client certificate. 
> But a generalized client-id based approach would be better to cover scenario 
> without security.
> The proposal here is to utilize existing zookeeper auth protocol to accept 
> client identity.
>  # The client id should be sent by client once connection is established.
>  # Sending client id is optional. Note that server needs to enable auth 
> provider if client does send in client id auth request or request would be 
> denied without auth provider on server side.
>  # client id is JSON withe client_id as mandatory field. Additional fields 
> can be added like client contact information, client version...
>  # This client identity will be cached in server connection and attached to 
> requests from the connection.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to