Multiple credentials associated with same principal?

[Stevo Slavić <ss...@gmail.com>]

Hello Apache ZooKeeper community,

Is it valid in JAAS config file to associate more than one password per
user, and if so, will ZooKeeper server authenticate user correctly if
provided password matches any of the configured ones?

Kind regards,
Stevo Slavic.

Re: Multiple credentials associated with same principal?

[Stevo Slavić <ss...@gmail.com>]

Hello Patrick,

Thanks for reply! That feature would be appreciated, but it's not what I
had in mind, it would not be sufficient.

I need a way to change credentials without ZK client or cluster downtime,
ideally with no ACL changes. Option of configuring two valid passwords for
same user would help - then I could along with old password configure new
one, roll ZK cluster with new settings, and then gradually roll out new
credentials to all different clients, later remove old expired password.

In one ZK client app, both zkclient and curator client libraries are being
used to access two different ZK subtrees. I managed to configure each
client to set ACLs appropriate for each subtree, but I couldn't find way
yet to configure each client with different user, with sasl scheme. So had
to fallback to single user. Still ACLs are different in the two subtrees.
One subtree allows world to read, and creator all permissions. Other
subtree just allows creator all permissions. It would help with credentials
expiration if I could instead of (creator, all permissions) ACLs, set (any
authenticated user, all permissions) ACL, while still keeping ACL for first
subtree that world can read it. If it was possible, I'd expire not only
password but replace it with new user, and no changes to ACLs would be
needed.

Thinking again, even if it was possible to set such ACL (any authenticated
user, all permissions) in ZK nodes, it wouldn't help me now, since I cannot
configure it to all clients managing nodes in subtree, some have ACLs that
they set hardcoded, would have to fork large OSS project which is not
really an option, and making ACL configurable in that OSS project would
take some time.

Kind regards,
Stevo Slavic.



On Thu, Feb 2, 2017 at 4:39 PM, Patrick Hunt <ph...@apache.org> wrote:

Hi Stevo, you might be talking about one of the following variants? (see
the jiras linked to from this jira)
https://issues.apache.org/jira/browse/ZOOKEEPER-1634

Patrick

On Thu, Feb 2, 2017 at 4:38 AM, Stevo Slavić <ss...@gmail.com> wrote:

> Alternatively, is it possible to set ACL that would grant given
permissions
> to any successfully authenticated user?
>
> On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ss...@gmail.com> wrote:
>
> > Hello Apache ZooKeeper community,
> >
> > Is it valid in JAAS config file to associate more than one password per
> > user, and if so, will ZooKeeper server authenticate user correctly if
> > provided password matches any of the configured ones?
> >
> > Kind regards,
> > Stevo Slavic.
> >
>

Re: Multiple credentials associated with same principal?

[Stevo Slavić <ss...@gmail.com>]

Hello Patrick,

Thanks for reply! That feature would be appreciated, but it's not what I
had in mind, it would not be sufficient.

I need a way to change credentials without ZK client or cluster downtime,
ideally with no ACL changes. Option of configuring two valid passwords for
same user would help - then I could along with old password configure new
one, roll ZK cluster with new settings, and then gradually roll out new
credentials to all different clients, later remove old expired password.

In one ZK client app, both zkclient and curator client libraries are being
used to access two different ZK subtrees. I managed to configure each
client to set ACLs appropriate for each subtree, but I couldn't find way
yet to configure each client with different user, with sasl scheme. So had
to fallback to single user. Still ACLs are different in the two subtrees.
One subtree allows world to read, and creator all permissions. Other
subtree just allows creator all permissions. It would help with credentials
expiration if I could instead of (creator, all permissions) ACLs, set (any
authenticated user, all permissions) ACL, while still keeping ACL for first
subtree that world can read it. If it was possible, I'd expire not only
password but replace it with new user, and no changes to ACLs would be
needed.

Thinking again, even if it was possible to set such ACL (any authenticated
user, all permissions) in ZK nodes, it wouldn't help me now, since I cannot
configure it to all clients managing nodes in subtree, some have ACLs that
they set hardcoded, would have to fork large OSS project which is not
really an option, and making ACL configurable in that OSS project would
take some time.

Kind regards,
Stevo Slavic.



On Thu, Feb 2, 2017 at 4:39 PM, Patrick Hunt <ph...@apache.org> wrote:

> Hi Stevo, you might be talking about one of the following variants? (see
> the jiras linked to from this jira)
> https://issues.apache.org/jira/browse/ZOOKEEPER-1634
>
> Patrick
>
> On Thu, Feb 2, 2017 at 4:38 AM, Stevo Slavić <ss...@gmail.com> wrote:
>
> > Alternatively, is it possible to set ACL that would grant given
> permissions
> > to any successfully authenticated user?
> >
> > On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ss...@gmail.com> wrote:
> >
> > > Hello Apache ZooKeeper community,
> > >
> > > Is it valid in JAAS config file to associate more than one password per
> > > user, and if so, will ZooKeeper server authenticate user correctly if
> > > provided password matches any of the configured ones?
> > >
> > > Kind regards,
> > > Stevo Slavic.
> > >
> >
>

Re: Multiple credentials associated with same principal?

[Patrick Hunt <ph...@apache.org>]

Hi Stevo, you might be talking about one of the following variants? (see
the jiras linked to from this jira)
https://issues.apache.org/jira/browse/ZOOKEEPER-1634

Patrick

On Thu, Feb 2, 2017 at 4:38 AM, Stevo Slavić <ss...@gmail.com> wrote:

> Alternatively, is it possible to set ACL that would grant given permissions
> to any successfully authenticated user?
>
> On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ss...@gmail.com> wrote:
>
> > Hello Apache ZooKeeper community,
> >
> > Is it valid in JAAS config file to associate more than one password per
> > user, and if so, will ZooKeeper server authenticate user correctly if
> > provided password matches any of the configured ones?
> >
> > Kind regards,
> > Stevo Slavic.
> >
>

Re: Multiple credentials associated with same principal?

[Patrick Hunt <ph...@apache.org>]

On Tue, Feb 14, 2017 at 7:41 AM, Stevo Slavić <ss...@gmail.com> wrote:

> Is this natively supported by ZooKeeper or does this require some
> customization?
>
>
Hi Stevo, I've never heard of anyone taking this approach, and I don't
believe it is possible today.

Regards,

Patrick


> On Thu, Feb 2, 2017 at 7:06 PM, Martin Gainty <mg...@hotmail.com> wrote:
>
> >
> > Stevo-
> > ------------------------------
> > *From:* Stevo Slavić <ss...@gmail.com>
> > *Sent:* Thursday, February 2, 2017 7:38 AM
> > *To:* user@zookeeper.apache.org
> > *Subject:* Re: Multiple credentials associated with same principal?
> >
> > Alternatively, is it possible to set ACL that would grant given
> permissions
> > to any successfully authenticated user?
> >
> > MG>acl group should match subject=GroupOfPeople
> >
> > MG>ZooKeeperServer:
> > MG>best to configure each ACL on server for Group where
> > MG>ServerGroupACL=JAASSubject
> > MG>e,g. GroupACL=JAASSubject=EmergencyRoomNurses
> >
> > MG>ZooKeeperClient:
> > MG>since there can be multiple principals per subject
> > MG>each Principal would represent an individual within the group
> > MG>e.g. JAASPrincipal=NurseCratchett
> >
> >
> > On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ss...@gmail.com> wrote:
> >
> > > Hello Apache ZooKeeper community,
> > >
> > > Is it valid in JAAS config file to associate more than one password per
> > > user, and if so, will ZooKeeper server authenticate user correctly if
> > > provided password matches any of the configured ones?
> > >
> > > Kind regards,
> > > Stevo Slavic.
> > >
> >
>

Re: Multiple credentials associated with same principal?

[Stevo Slavić <ss...@gmail.com>]

Is this natively supported by ZooKeeper or does this require some
customization?

On Thu, Feb 2, 2017 at 7:06 PM, Martin Gainty <mg...@hotmail.com> wrote:

>
> Stevo-
> ------------------------------
> *From:* Stevo Slavić <ss...@gmail.com>
> *Sent:* Thursday, February 2, 2017 7:38 AM
> *To:* user@zookeeper.apache.org
> *Subject:* Re: Multiple credentials associated with same principal?
>
> Alternatively, is it possible to set ACL that would grant given permissions
> to any successfully authenticated user?
>
> MG>acl group should match subject=GroupOfPeople
>
> MG>ZooKeeperServer:
> MG>best to configure each ACL on server for Group where
> MG>ServerGroupACL=JAASSubject
> MG>e,g. GroupACL=JAASSubject=EmergencyRoomNurses
>
> MG>ZooKeeperClient:
> MG>since there can be multiple principals per subject
> MG>each Principal would represent an individual within the group
> MG>e.g. JAASPrincipal=NurseCratchett
>
>
> On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ss...@gmail.com> wrote:
>
> > Hello Apache ZooKeeper community,
> >
> > Is it valid in JAAS config file to associate more than one password per
> > user, and if so, will ZooKeeper server authenticate user correctly if
> > provided password matches any of the configured ones?
> >
> > Kind regards,
> > Stevo Slavic.
> >
>

Re: Multiple credentials associated with same principal?

[Stevo Slavić <ss...@gmail.com>]

Alternatively, is it possible to set ACL that would grant given permissions
to any successfully authenticated user?

On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ss...@gmail.com> wrote:

> Hello Apache ZooKeeper community,
>
> Is it valid in JAAS config file to associate more than one password per
> user, and if so, will ZooKeeper server authenticate user correctly if
> provided password matches any of the configured ones?
>
> Kind regards,
> Stevo Slavic.
>