Details
-
Type:
New Feature
-
Status: In Progress
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
Description
Hopefully this would leverage the SASL server-side support provided by ZOOKEEPER-938. It would be similar to the Java SASL client support also provided in ZOOKEEPER-938.
Java has built-in SASL support, but I'm not sure what C libraries are available for SASL and if so, are they compatible with the Apache license.
Issue Links
- is blocked by
-
ZOOKEEPER-938
Support Kerberos authentication of clients.
-
- Closed
-
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
I added SASL authentication to the c client lib that works with libkrb5 on Ubuntu Maverick (requires libkrb5-dev to compile).
This my first c project, so its obviously far from perfect or complete.
- lacks multi-platform support
- only tested with MIT Kerberos
- servicename hardcoded to "zookeeper" in cli.c
- what about licensing implications?
It works for me, so if you'd like to give it a try see https://github.com/kloni/zookeeper/commit/e2409bc441962a35fad1e277f95ded436431045b
Hi Tom,
Thanks for announcing this! Your tag compiles for me and test-cppunit succeeds. I wonder if your next step might be to write a unit test or two to show this functionality, like SaslAuthTest and SaslAuthFailTest:
https://github.com/apache/zookeeper/blob/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthTest.java
https://github.com/apache/zookeeper/blob/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthFailTest.java
but in C instead of Java ?
Hopefully, as with the Java tests, you could use DIGEST-MD5 rather than GSSAPI for the mechanism to avoid the need for a Kerberos setup.
-Eugene
I changed the code to actually use SASL instead of GSSAPI. It now supports DIGEST-MD5 und GSSAPI (and virtually any mech SASL supports). cli_mt works with GSSAPI, cli_st with DIGEST-MD5 and GSSAPI
Example: cli_st -u super -h zk-sasl-md5 -m DIGEST-MD5 ubook:2181
- requires libsasl2 and modules
- introduces -I/usr/include - breaks portability
- no tests yet
- client options have changed - see usage
Next will be adding tests and providing a patch. It'd be great if someone reviews this and takes care of the portability (compiler flag --with-sasl?).
Patch for trunk (unnecessary include flag removed)
- zookeeper
- zoo_(a)sasl(*zh, *conn, *data, len, cptr)
- zk_sasl
- zoo_sasl_init(*callbacks)
- zoo_sasl_connect(*zh, *servicename, *host, **conn, **supportedmechs, *mechcount)
- zoo_(a)sasl_authenticate(*zh, *conn, *mech, *supportedmechs)
Can somebody help to create test cases for this (i.e. setting up a digest-md5 enabled zookeeper instance)?
Nearly there 
This latest patch includes
- detection of libsasl2
- configure option --with-sasl (default: on)
- compiler flag SASL
- a simple test for DIGEST-MD5 authentication
Hi Tom,
It's great to see this going on! I would like to help with the tests. May I suggest you make a reviewboard entry for your patch? If you haven't used reviewboard before, you need to create a login and choose "zookeeper-git" for the repository.
-Eugene
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2252/
-----------------------------------------------------------
(Updated 2011-10-06 19:10:21.800060)
Review request for zookeeper, Eugene Koontz and Tom Klonikowski.
Summary
-------
It now supports DIGEST-MD5 and GSSAPI (and virtually any mech SASL supports). cli_mt works with GSSAPI, cli_st with DIGEST-MD5 and GSSAPI
Example: cli_st -u super -h zk-sasl-md5 -m DIGEST-MD5 localhost:2181
cli_mt -M GSSAPI localhost:2181
- requires libsasl2 and plugins
- zookeeper
o zoo_(a)sasl(*zh, *conn, *data, len, cptr) - zk_sasl
o zoo_sasl_init(*callbacks)
o zoo_sasl_connect(*zh, *servicename, *host, **conn, **supportedmechs, *mechcount)
o zoo_(a)sasl_authenticate(*zh, *conn, *mech, *supportedmechs)
This latest patch includes
- detection of libsasl2
- configure option --with-sasl (default: on)
- compiler flag SASL
- a simple test for DIGEST-MD5 authentication
This addresses bug ZOOKEEPER-1112.
https://issues.apache.org/jira/browse/ZOOKEEPER-1112
Diffs
src/c/src/zk_adaptor.h 6aed38f
src/c/src/zk_sasl.h PRE-CREATION
src/c/src/zk_sasl.c PRE-CREATION
src/c/src/cli.c c9fe4dd
src/c/Makefile.am dbf4080
src/c/configure.ac 4e1a8d5
src/c/include/proto.h bce408e
src/c/include/zookeeper.h 7d1066a
src/c/src/zookeeper.c 64d7a4d
src/c/tests/TestClient.cc 2d45cec
src/c/tests/jaas.digest.server.conf PRE-CREATION
src/c/tests/zkServer.sh 0af80f8
src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java 0ca18dc
Diff: https://reviews.apache.org/r/2252/diff
Testing
-------
Thanks,
Tom
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2252/
-----------------------------------------------------------
(Updated 2011-10-06 19:09:56.213145)
Review request for zookeeper and Eugene Koontz.
Summary
-------
It now supports DIGEST-MD5 and GSSAPI (and virtually any mech SASL supports). cli_mt works with GSSAPI, cli_st with DIGEST-MD5 and GSSAPI
Example: cli_st -u super -h zk-sasl-md5 -m DIGEST-MD5 localhost:2181
cli_mt -M GSSAPI localhost:2181
- requires libsasl2 and plugins
- zookeeper
o zoo_(a)sasl(*zh, *conn, *data, len, cptr) - zk_sasl
o zoo_sasl_init(*callbacks)
o zoo_sasl_connect(*zh, *servicename, *host, **conn, **supportedmechs, *mechcount)
o zoo_(a)sasl_authenticate(*zh, *conn, *mech, *supportedmechs)
This latest patch includes
- detection of libsasl2
- configure option --with-sasl (default: on)
- compiler flag SASL
- a simple test for DIGEST-MD5 authentication
This addresses bug ZOOKEEPER-1112.
https://issues.apache.org/jira/browse/ZOOKEEPER-1112
Diffs
src/c/src/zk_adaptor.h 6aed38f
src/c/src/zk_sasl.h PRE-CREATION
src/c/src/zk_sasl.c PRE-CREATION
src/c/src/cli.c c9fe4dd
src/c/Makefile.am dbf4080
src/c/configure.ac 4e1a8d5
src/c/include/proto.h bce408e
src/c/include/zookeeper.h 7d1066a
src/c/src/zookeeper.c 64d7a4d
src/c/tests/TestClient.cc 2d45cec
src/c/tests/jaas.digest.server.conf PRE-CREATION
src/c/tests/zkServer.sh 0af80f8
src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java 0ca18dc
Diff: https://reviews.apache.org/r/2252/diff
Testing
-------
Thanks,
Tom
Hi Eugene,
looking at the review i feel like it might be a good idea to split this patch into smaller parts to make it easier to review.
- zooapi extension (proto.h, zk_adaptor.h, zookeeper.c, zookeeper.h)
- build (Makefile.am, configure.ac)
- sasl addon (zk_sasl.c, zk_sasl.h)
- test (TestClient.cc, zkServer.sh, jaas.digest.server.conf)
- server (ZooKeeperSaslServer.java)
- cli (cli.c)
Contents of this patch:
- ZOOAPI extension for sending sasl requests and receiving responses (zoo_sasl)
- SASL addon that plugs into this functions (zk_sasl)
- build with libsasl2 if availabe and requested
- sasl authentication hacked into cli
Very glad to see this! Will take a look at the patch sometime this week!
Further improvements and splitted patch into (consecutive) work items
Patch 1:
- implements sasl operations
- extended tests/zkServer.sh to start a digest-md5 enabled server
- simple test that checks the initial digest-md5 response
No external requirements yet, but you can already let your own sasl implementation/library communicate with a (sasl-enabled) zookeeper via zoo_(a)sasl function.
Or you can additionally use
Patch 2:
- provides a simple api for sasl authentication (zoo_sasl_init, zoo_sasl_connect, zoo_sasl_authenticate)
- requires libsasl2 (and plugins)
- autoconf/make configuration
- test for digest-md5 authentication
- extended configuration for digest-md5 sasl server required by sasl2
Patch 3:
- includes a sasl-enabled cli as additional make artifacts
When using the test configuration as in src/c/tests/jaas.digest.server.conf you can login via:
cli_sasl_st -u super -h zk-sasl-md5 -m DIGEST-MD5 hostlist
and password 'test'.
If you set up Kerberos 5 on the server side and have a valid ticket its just:
cli_sasl_st -m GSSAPI hostlist
This patches deprecate the earlier single patch.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2252/
-----------------------------------------------------------
(Updated 2011-10-07 18:58:28.724545)
Review request for zookeeper, Eugene Koontz, Mahadev Konar, and Tom Klonikowski.
Changes
-------
Replaced with the recent patch (#1 of 3)
Summary (updated)
-------
This first patch implements the zookeeper sasl operations, extends the zkServer.sh test script with the ability to start a sasl enabled server and adds a test that checks the initial DIGEST-MD5 response.
It introduces no external requirements but provides zoo_sasl/zoo_asasl functions that allow applications (or the addon from patch #2) to communicate with the sasl server backend.
Patch #2 will add a simple api for sasl authentication, patch #3 includes a sasl enabled command line client.
This addresses bug ZOOKEEPER-1112.
https://issues.apache.org/jira/browse/ZOOKEEPER-1112
Diffs (updated)
src/c/include/proto.h bce408e
src/c/include/zookeeper.h 7d1066a
src/c/src/zk_adaptor.h 6aed38f
src/c/src/zookeeper.c 64d7a4d
src/c/tests/TestClient.cc 2d45cec
src/c/tests/jaas.digest.server.conf e69de29
src/c/tests/zkServer.sh 0af80f8
Diff: https://reviews.apache.org/r/2252/diff
Testing
-------
Thanks,
Tom
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2252/#review2438
-----------------------------------------------------------
src/c/include/zookeeper.h
<https://reviews.apache.org/r/2252/#comment5542>
I'm gonna replace the callback with two out parameters here.
- Tom
On 2011-10-07 18:58:28, Tom Klonikowski wrote:
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
-----------------------------------------------------------
(Updated 2011-10-07 18:58:28)
Review request for zookeeper, Eugene Koontz, Mahadev Konar, and Tom Klonikowski.
Summary
-------
This first patch implements the zookeeper sasl operations, extends the zkServer.sh test script with the ability to start a sasl enabled server and adds a test that checks the initial DIGEST-MD5 response.
It introduces no external requirements but provides zoo_sasl/zoo_asasl functions that allow applications (or the addon from patch #2) to communicate with the sasl server backend.
Patch #2 will add a simple api for sasl authentication, patch #3 includes a sasl enabled command line client.
This addresses bug ZOOKEEPER-1112.
Diffs
-----
src/c/include/proto.h bce408e
src/c/include/zookeeper.h 7d1066a
src/c/src/zk_adaptor.h 6aed38f
src/c/src/zookeeper.c 64d7a4d
src/c/tests/TestClient.cc 2d45cec
src/c/tests/jaas.digest.server.conf e69de29
src/c/tests/zkServer.sh 0af80f8
Testing
-------
Thanks,
Tom
Updated patches with simpler synchronous sasl function and a little more testing.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2252/
-----------------------------------------------------------
(Updated 2011-10-09 16:30:25.396109)
Review request for zookeeper, Eugene Koontz, Mahadev Konar, and Tom Klonikowski.
Changes
-------
Updated patches with simpler synchronous sasl function and a little more testing
Summary
-------
This first patch implements the zookeeper sasl operations, extends the zkServer.sh test script with the ability to start a sasl enabled server and adds a test that checks the initial DIGEST-MD5 response.
It introduces no external requirements but provides zoo_sasl/zoo_asasl functions that allow applications (or the addon from patch #2) to communicate with the sasl server backend.
Patch #2 will add a simple api for sasl authentication, patch #3 includes a sasl enabled command line client.
This addresses bug ZOOKEEPER-1112.
https://issues.apache.org/jira/browse/ZOOKEEPER-1112
Diffs (updated)
src/c/include/proto.h bce408e
src/c/include/zookeeper.h 7d1066a
src/c/src/zk_adaptor.h 6aed38f
src/c/src/zookeeper.c 64d7a4d
src/c/tests/TestClient.cc 2d45cec
src/c/tests/jaas.digest.server.conf e69de29
src/c/tests/zkServer.sh 0af80f8
Diff: https://reviews.apache.org/r/2252/diff
Testing
-------
Thanks,
Tom
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2315/
-----------------------------------------------------------
Review request for zookeeper.
Summary
-------
2nd patch
- provides a simple api for sasl authentication (zoo_sasl_init, zoo_sasl_connect, zoo_sasl_authenticate)
- requires libsasl2 (and plugins)
- autoconf/make configuration
- test for digest-md5 authentication
- extended configuration for digest-md5 sasl server required by sasl2
This addresses bug ZOOKEEPER-1112.
https://issues.apache.org/jira/browse/ZOOKEEPER-1112
Diffs
src/c/Makefile.am dbf4080
src/c/configure.ac 4e1a8d5
src/c/include/zookeeper_sasl.h e69de29
src/c/src/zk_sasl.c e69de29
src/c/tests/TestClient.cc 2d45cec
src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java 0ca18dc
Diff: https://reviews.apache.org/r/2315/diff
Testing
-------
Thanks,
Tom
Maybe part #2 (sasl auth implementation via cyrus sasl) and #3 (cli using #2) should be moved to the recipes section (recipes/sasl). What do you think?
do we want this for 3.5.0? any takers on rebasing it?
do we want this for 3.5.0? any takers on rebasing it?
Apache Web Server has a module for authenticate sasl using Cyrus SASL library. I think the license should be compatible with written agreement from CMU.