[
https://issues.apache.org/jira/browse/ZOOKEEPER-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16938686#comment-16938686
]
Mohammad Arshad commented on ZOOKEEPER-3558:
--------------------------------------------
Thanks for the information [~hanm]
Two concerns with ZOOKEEPER-1634.
1. It is merged only in master.
2. It is limited to only sasl authentication scheme. It can not support any
other scheme
Shall we back port ZOOKEEPER-1634 to branch-3.5 also do changed to make it work
for any authentication scheme.
> Support authentication enforcement
> ----------------------------------
>
> Key: ZOOKEEPER-3558
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3558
> Project: ZooKeeper
> Issue Type: New Feature
> Reporter: Mohammad Arshad
> Assignee: Mohammad Arshad
> Priority: Major
> Fix For: 3.5.7
>
> Attachments: ZOOKEEPER-3558-01.patch
>
>
> Provide authentication enforcement in ZooKeeper that is backward compatible
> and can work for any authentication scheme, can work even with custom
> authentication schemes.
> *Problems:*
> 1. Currently server is starting with default authentication
> providers(DigestAuthenticationProvider, IPAuthenticationProvider). These
> default authentication providers are not really secure.
> 2. ZooKeeper server is not checking whether authentication is done or not
> before performing any user operation.
> *Solutions:*
> 1. We should not start any authentication provider by default. But this would
> be backward incompatible change. So we can provide configuration whether to
> start default authentication provides are not.
> By default we can start these authentication providers.
> 2. Before any user operation server should check whether authentication
> happened or not. At least client must be authenticated with one
> authentication scheme.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
