Details

    • Type: New Feature
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: server
    • Labels:
      None

      Description

      This change introduces two new config options to force authorization and authentication:

      1. disableWorldACL
      The purpose of this option is disable the builtin mechanism which authorizes everyone.
      If it is turned on than the world/anyone usage is ignored. ZooKeeper will not check operations based on world/anyone.
      This option is useful to force some kind of authorization mechanism. This restriction is useful in a strictly audited environment.

      2. forceAuthentication
      If this option is turned on than ZooKeeper won't authorize any operation if the user has not authenticated either with SASL or with addAuth.
      There is way to enforce SASL authentication but currently there is no way to enforce authentication using the plugin mechanism. Enforcing authentication for that is more tricky since authentication can come any time later. This option doesn't drop the connection if there was no authentication. It is only throwing NoAuth for any operation until the Auth packet arrives.

        Attachments

        1. ZOOKEEPER-2462.patch
          5 kB
          Botond Hejj
        2. ZOOKEEPER-2462.patch
          6 kB
          Botond Hejj

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                botond.hejj Botond Hejj
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: