You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Eugene Koontz (JIRA)" <ji...@apache.org> on 2015/04/08 03:44:12 UTC

[jira] [Commented] (ZOOKEEPER-2159) Pluggable SASL Authentication

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14484531#comment-14484531 ] 

Eugene Koontz commented on ZOOKEEPER-2159:
------------------------------------------

Good document. I like the idea of negotiation of authentication method. However, one thing to keep in mind that currently, there is only a single Access Control Qualifier "sasl". That is, for the purposes of authorization, all "sasl"s are equivalent, so if a user can login with a weak authentication method, they can do anything they could if they had authenticated with a stronger one. Then there is no point in having stronger methods configured, since users are able to authenticate with the weakest. This consideration might imply that we should have configuration options to make SASL authorization more fine-grained, so that instead of a node having an ACL like:

sasl:hbase:/hbase:cwrda
(read as: <authentication method>:<user>:<zk node>:<permissions>)

it would have something like:

sasl<krb5>:hbase:/hbase:cwrda

or:

sasl<digest-md5>:hbase:/hbase:cwrda



> Pluggable SASL Authentication
> -----------------------------
>
>                 Key: ZOOKEEPER-2159
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2159
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: java client, server
>            Reporter: Yuliya Feldman
>            Assignee: Yuliya Feldman
>         Attachments: PluggableZookeeperAuthentication (1).pdf, PluggableZookeeperAuthentication.pdf
>
>
> Today SASLAuthenticationProvider is used for all SASL based authentications which creates some "if/else" statements in ZookeeperSaslClient and ZookeeperSaslServer code with just Kerberos and Digest.
> We want to use yet another different SASL based authentication and adding one more "if/else" with some code specific just to that new way does not make much sense.
> Proposal is to allow to plug custom SASL Authentication mechanism(s) without  further changes in Zookeeper code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)