[GitHub] [zookeeper] ztzg commented on a change in pull request #1500: ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper authentication enforcement.

[GitBox <gi...@apache.org>]

ztzg commented on a change in pull request #1500:
URL: https://github.com/apache/zookeeper/pull/1500#discussion_r505406844



##########
File path: zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
##########
@@ -1508,13 +1508,40 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp
     in such case, both Java and C client will close the session with server thereafter,
     without further attempts on retrying to reconnect.
 
+    This configuration is short hand for **enforce.auth.enabled=true** and **enforce.auth.scheme=sasl**
+
     By default, this feature is disabled. Users who would like to opt-in can enable the feature
-    by setting **zookeeper.sessionRequireClientSASLAuth** to **true**.
+    by setting **sessionRequireClientSASLAuth** to **true**.
 
     This feature overrules the <emphasis role="bold">zookeeper.allowSaslFailedClients</emphasis> option, so even if server is
     configured to allow clients that fail SASL authentication to login, client will not be able to
     establish a session with server if this feature is enabled.
 
+* *enforce.auth.enabled* :
+    (Java system property : **zookeeper.enforce.auth.enabled**)
+    **New in 3.7.0:**
+    When set to **true**, ZooKeeper server will only accept connections and requests from clients
+    that have authenticated with server via configured auth scheme. Authentication scheme
+    can be configured using property enforce.auth.scheme. Clients that are not
+    configured with the auth scheme configured at server or configured but failed authentication (i.e. with invalid credential)
+    will not be able to establish a session with server. A typed error code (-124) will be delivered
+    in such case, both Java and C client will close the session with server thereafter,
+    without further attempts on retrying to reconnect.
+
+    By default, this feature is disabled. Users who would like to opt-in can enable the feature
+    by setting **enforce.auth.enabled** to **true**.
+
+    When **enforce.auth.enabled=true** and **enforce.auth.scheme=sasl** then <emphasis role="bold">zookeeper.allowSaslFailedClients</emphasis> configuration is overruled. So even if server is
+    configured to allow clients that fail SASL authentication to login, client will not be able to
+    establish a session with server if this feature is enabled.
+
+* *enforce.auth.scheme* :
+    (Java system property : **zookeeper.enforce.auth.scheme**)
+    **New in 3.7.0:**
+    Specifies the authentication scheme with which all clients must get authenticated before doing
+    any zookeeper operations. This property is used only when **enforce.auth.enabled** is to
+    **true**.

Review comment:
       +1 on the functionality, but how about allowing multiple schemes here?  (We actually have a case where we use `sasl` *and* a custom provider.)
   
   We could have `enforce.auth.scheme.1`, etc. (syntax suggested by @eolivelli on  https://github.com/apache/zookeeper/pull/1503#discussion_r505238251; `authProvider` is a precedent).




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org