[ https://issues.apache.org/jira/browse/ZOOKEEPER-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779049#comment-17779049 ]
xiaotong.wang commented on ZOOKEEPER-4753: ------------------------------------------ [~ztzg] we need verify the server host when we use SASL/Kerberos,it's better to verify if current authentication is Kerberos or not , but now we check it with isDigestAuthn and use entry.getLoginModuleName().equals(DigestLoginModule.class.getName()) we rewrite DigestLoginModule to make sure user paasword are storage with encrypted our new DigestLoginModule required user_hd=encode("testpwd") it will incompatible when we upgrade Is there a better way to fix this issue > Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth > -------------------------------------------------------- > > Key: ZOOKEEPER-4753 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4753 > Project: ZooKeeper > Issue Type: Improvement > Components: server > Affects Versions: 3.9.0 > Reporter: Damien Diederen > Assignee: Damien Diederen > Priority: Major > Fix For: 3.7.2, 3.8.3, 3.9.1 > > > The SASL-based quorum authorizer does not explicitly distinguish between the > DIGEST-MD5 and GSSAPI mechanisms: it is simply relying on {{NameCallback}} > and {{PasswordCallback}} for authentication with the former and examining > Kerberos principals in {{AuthorizeCallback}} for the latter. > It turns out that some SASL/DIGEST-MD5 configurations cause authentication > and authorization IDs not to match the expected format, and the > DIGEST-MD5-based portions of the quorum test suite to fail with obscure > errors. (They can be traced to failures to join the quorum, but only by > looking into detailed logs.) > We can use the login module name to determine whether DIGEST-MD5 or GSSAPI is > used, and relax the authentication ID check for the former. As a cleanup, we > can keep the password-based credential map empty when Kerberos principals are > expected. Finally, we can adapt tests to ensure "weirdly-shaped" credentials > only cause authentication failures in the GSSAPI case. -- This message was sent by Atlassian Jira (v8.20.10#820010)