Hi Botond, I believe the guy who originally implemented this (Rakesh) can give some color to your question, but until that you could dig the original Jira: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 for more information.
Other than that, if you believe that you can either fix the issue or implement it in a better way, your contribution will be highly appreciated and it would be very kind of you to open new Jira and new pull request on GitHub. We can discuss further details there. Thanks, Andor On Mon, Feb 5, 2018 at 7:21 PM, Botond Hejj <botond.h...@morganstanley.com> wrote: > Hi, > > Java 8 introduced the possibility to use * for the principal in treadmill > which is great and would allow us to run treadmill behind multiple > interfaces and SASL would pick the right keytab. > > Unfortunately this doesn't work in ZooKeeper I have dived in the code a bit > and what I have found is that ZooKeeper is using DIGEST-MD5 in that case > even though I don't use the DigestLoginModule. The reason for that is line > 251 here: > https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/ > zookeeper/util/SecurityUtils.java > > It falls back to Digest if the principal list is empty which is the case > when * is specified. > Why is that and why not the login type is checked? > Anyway this can only be fixed in a nonbackward compatible way or with a > flag in a backward compatible way. > > I could prepare a patch. > I would just like to understand the reason behind the implementation. Is > there any particular reason why this fallback is there? What would the > implication if I remove that? If I understand the reason maybe I could > patch it without breaking backward compatibility. > > There is also a comment: TODO: use 'authMech=' value in zoo.cfg. > > Is there any jira or patch for that? > > Regards, > Botond Hejj > Morgan Stanley | Technology > Lechner Odon fasor 8 | Floor 07 > Budapest, 1095 > Phone: +36 1 881-3962 > botond.h...@morganstanley.com >
