[jira] [Commented] (ZOOKEEPER-4753) Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth

Tue, 24 Oct 2023 05:13:00 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779049#comment-17779049
 ] 

xiaotong.wang commented on ZOOKEEPER-4753:
------------------------------------------

[~ztzg]  we need verify the server host when we use SASL/Kerberos,it's better 
to verify if current authentication is Kerberos or not , but now we check it 
with isDigestAuthn  and use  
entry.getLoginModuleName().equals(DigestLoginModule.class.getName()) 

we rewrite DigestLoginModule to make sure user paasword are storage with 
encrypted 
our new DigestLoginModule  required
user_hd=encode("testpwd")  
 
it will incompatible when we upgrade 
 
Is there a better way to fix this issue
 

> Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
> --------------------------------------------------------
>
>                 Key: ZOOKEEPER-4753
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.9.0
>            Reporter: Damien Diederen
>            Assignee: Damien Diederen
>            Priority: Major
>             Fix For: 3.7.2, 3.8.3, 3.9.1
>
>
> The SASL-based quorum authorizer does not explicitly distinguish between the 
> DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} 
> and {{PasswordCallback}} for authentication with the former and examining 
> Kerberos principals in {{AuthorizeCallback}} for the latter.
> It turns out that some SASL/DIGEST-MD5 configurations cause authentication 
> and authorization IDs not to match the expected format, and the 
> DIGEST-MD5-based portions of the quorum test suite to fail with obscure 
> errors. (They can be traced to failures to join the quorum, but only by 
> looking into detailed logs.)
> We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is 
> used, and relax the authentication ID check for the former.  As a cleanup, we 
> can keep the password-based credential map empty when Kerberos principals are 
> expected.  Finally, we can adapt tests to ensure "weirdly-shaped" credentials 
> only cause authentication failures in the GSSAPI case.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to