[jira] [Commented] (ZOOKEEPER-3558) Support authentication enforcement

Thu, 26 Sep 2019 16:44:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939031#comment-16939031
 ] 

Michael Han commented on ZOOKEEPER-3558:
----------------------------------------

For 1 - I am not exactly sure if we should back port anything from master to 
branch-3.5 at this moment. My hope is we should focus on master branch and get 
3.6 release out of the door and unify the development / release diverge we 
created (3.4 as stable release, 3.5 as beta release - which only recently 
dropped beta tag, and 3.6/master as dev branch) which would save some 
maintaining overhead for community and contributors. That said, if someone want 
to back port that JIRA, i am happy to review and commit.

For 2 - yes, that's a good idea to generalize. In fact, it was commented in the 
original PR 
(https://github.com/apache/zookeeper/pull/118#issuecomment-495386499). This 
work was scoped out of the original PR and I created 
https://issues.apache.org/jira/browse/ZOOKEEPER-3561 to track the 
generalization work.




> Support authentication enforcement
> ----------------------------------
>
>                 Key: ZOOKEEPER-3558
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3558
>             Project: ZooKeeper
>          Issue Type: New Feature
>            Reporter: Mohammad Arshad
>            Assignee: Mohammad Arshad
>            Priority: Major
>             Fix For: 3.5.7
>
>         Attachments: ZOOKEEPER-3558-01.patch
>
>
> Provide authentication enforcement in ZooKeeper that is backward compatible 
> and can work for any authentication scheme, can work even with custom 
> authentication schemes.
> *Problems:*
> 1. Currently server is starting with default authentication 
> providers(DigestAuthenticationProvider, IPAuthenticationProvider). These 
> default authentication providers are not really secure.
> 2. ZooKeeper server is not checking whether authentication is done or not 
> before performing any user operation.
> *Solutions:*
> 1. We should not start any authentication provider by default. But this would 
> be backward incompatible change. So we can provide configuration whether to 
> start default authentication provides are not.
> By default we can start these authentication providers.
> 2. Before any user operation server should check whether authentication 
> happened or not. At least client must be authenticated with one 
> authentication scheme.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to