Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3959

Allow multiple superUsers with SASL

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.6.2
    • Fix Version/s: 3.7.0
    • Component/s: server

      Description

      We would like to add support for multiple SASL-authenticated super users to ZooKeeper.

      There currently exists a zookeeper.superUser property which is documented as:

      When this parameter is set to a [SASL] principal name, only an authenticated client with that principal will be able to bypass ACL checking and have full privileges to all znodes.

      Connections with an ID matching that property receive super powers through somewhat "hardcoded" logic which only admits a single principal name.

      Our goals could simply be achieved by promoting the equality comparison to a set membership test, and either:

      1. defining a new zookeeper.superUsers property holding a comma-separated list of principal names, or
      2. overloading zookeeper.superUser, parsing it as a comma-separated list.

      Another possibility, more complex but also more flexible, would be to implement the solution suggested in this SASLAuthenticationProvider comment:

      TODO: consider substituting current implementation of direct ClientCnxn manipulation with a call to this method (SASLAuthenticationProvider:handleAuthentication()) at session initiation.

      This would allow plugging arbitrary subclasses of SASLAuthenticationProvider (or, possibly, implementations of a new, ad-hoc interface) carrying custom logic.

      Of course, these solutions are not exclusive: it would be possible to first implement the zookeeper.superUsers functionality in place, and to later migrate it to an AuthenticationProvider. E.g., doing the former in the 3.6 branch and reserving the latter for 3.7/master.

      What do you think?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ztzg Damien Diederen
                Reporter:
                ztzg Damien Diederen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 10m
                  3h 10m