We would like to add support for multiple SASL-authenticated super users to ZooKeeper.
There currently exists a zookeeper.superUser property which is documented as:
When this parameter is set to a [SASL] principal name, only an authenticated client with that principal will be able to bypass ACL checking and have full privileges to all znodes.
Connections with an ID matching that property receive super powers through somewhat "hardcoded" logic which only admits a single principal name.
Our goals could simply be achieved by promoting the equality comparison to a set membership test, and either:
- defining a new zookeeper.superUsers property holding a comma-separated list of principal names, or
- overloading zookeeper.superUser, parsing it as a comma-separated list.
Another possibility, more complex but also more flexible, would be to implement the solution suggested in this SASLAuthenticationProvider comment:
TODO: consider substituting current implementation of direct ClientCnxn manipulation with a call to this method (SASLAuthenticationProvider:handleAuthentication()) at session initiation.
This would allow plugging arbitrary subclasses of SASLAuthenticationProvider (or, possibly, implementations of a new, ad-hoc interface) carrying custom logic.
Of course, these solutions are not exclusive: it would be possible to first implement the zookeeper.superUsers functionality in place, and to later migrate it to an AuthenticationProvider. E.g., doing the former in the 3.6 branch and reserving the latter for 3.7/master.
What do you think?