[jira] [Commented] (ZOOKEEPER-1467) Server principal on client side is derived using hostname.

Sat, 28 Sep 2019 18:36:09 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16940199#comment-16940199
 ] 

caixiaofeng commented on ZOOKEEPER-1467:
----------------------------------------

https://github.com/apache/zookeeper/pull/1099/commits/8f013f4597521924c5f05977c26e5b62d989c5ac

       the patch use the client set by guest code.
       As 4letter command needs no auth,why not show the 
zookeeper.server.principal by the server using 4letter word command. 
       then the get the server principal by four letter commands auto.  
      (if cant get by the 4leeter command, then can use the guest config)
------ this is the code in the patch
                static String getServerPrincipal(WrapperInetSocketAddress addr, 
ZKClientConfig clientConfig) {
                String configuredServerPrincipal = 
clientConfig.getProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL);
                if (configuredServerPrincipal != null) {
                // If server principal is already configured then return it
                return configuredServerPrincipal;
                }

> Server principal on client side is derived using hostname.
> ----------------------------------------------------------
>
>                 Key: ZOOKEEPER-1467
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1467
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: java client
>    Affects Versions: 3.4.3, 3.4.4, 3.5.0
>            Reporter: Laxman
>            Assignee: Eugene Joseph Koontz
>            Priority: Major
>              Labels: Security, client, kerberos, pull-request-available, sasl
>             Fix For: 3.6.0
>
>         Attachments: ZOOKEEPER-1467.patch, ZOOKEEPER-1467.patch
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Server principal on client side is derived using hostname.
> org.apache.zookeeper.ClientCnxn.SendThread.startConnect()
> {code}
>            try {
>                 zooKeeperSaslClient = new 
> ZooKeeperSaslClient("zookeeper/"+addr.getHostName());
>             }
> {code}
> This may have problems when admin wanted some customized principals like 
> zookeeper/[email protected] where clusterid is the cluster identifier but 
> not the host name.
> IMO, server principal also should be configurable as hadoop is doing.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to