Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
3.4.6
-
None
-
Linux <node_name> 2.6.32-696.6.3.el6.YAHOO.20170712.4.x86_64 #1 SMP Wed Jul 12 01:40:52 UTC 2017 x86_64
-bash-4.1$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)/home/y/libexec/ant/bin/ant -version
Apache Ant(TM) version 1.9.0 compiled on March 5 2013Linux <node_name> 2.6.32-696.6.3.el6.YAHOO.20170712.4.x86_64 #1 SMP Wed Jul 12 01:40:52 UTC 2017 x86_64 -bash-4.1$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.8 (Santiago) java version "1.8.0_25" Java(TM) SE Runtime Environment (build 1.8.0_25-b17) Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode) /home/y/libexec/ant/bin/ant -version Apache Ant(TM) version 1.9.0 compiled on March 5 2013
Description
we have created an authentication provider plugin that can authenticate clients based on the cert that client is presenting. our zookeeper instance has been configured (and started) to authenticate and allow only certain appid's. this works as intended when clients (ours are c-clients) send an auth message via yca_add_auth containing the cert and the authentication provider is configured to allow it.
however, if the clients do not present one (i.e. do not send an auth packet), and if the authentication provider allows only certain appid's, this connection still goes through - i.e. clients are able to connect, create/watch nodes etc.! this is unexpected and does not allow us to prevent certain clients from connecting to a zookeeper quorum (as they can still connect without present any credentials).
it looks like zookeeper will only invoke the auth providers if it receives an auth packet from the client.
none of this block - https://github.com/sriramch/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java#L1060
ever gets executed, and it directly jumps to this
we have a usecase where we only want clients that can present valid credentials to connect to zookeeper (zk).
i was hoping to expose an interface where different auth providers (when they are loaded) would let zk know if they need to authenticate a client before processing other data packets. the default ones (kerberos/ip/digest etc.) would say no to maintain compatibility. our auth provider can be configured to say yes/no (default no) depending on use-case. zk before processing a data packet can look at the auth info in the server connection to see the schemes that requires authentication and have successfully authenticated. connection will succeed if all schemes that require authentication have successfully authenticated; else, we disable receive.
can someone please look into this issue and evaluate the proposal? i can work on creating a pr for this.
Attachments
Issue Links
- is cloned by
-
ZOOKEEPER-4335 CLONE - zookeeper issues with handling authentication...
- Open
- links to