ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-896

Improve C client to support dynamic authentication schemes

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.3.2
    • Fix Version/s: 3.5.2, 3.6.0
    • Component/s: c client
    • Labels:
      None

      Description

      When we started exploring zookeeper for our requirements we found the authentication mechanism is not flexible enough.
      We want to use kerberos for authentication but using the current API we ran into a few problems. The idea is that we get a kerberos token on the client side and than send that token to the server with a kerberos scheme. A server side authentication plugin can use that token to authenticate the client and also use the token for authorization.
      We ran into two problems with this approach:
      1. A different kerberos token is needed for each different server that client can connect to since kerberos uses mutual authentication. That means when the client acquires this kerberos token it has to know which server it connects to and generate the token according to that. The client currently can't generate a token for a specific server. The token stored in the auth_info is used for all the servers.
      2. The kerberos token might have an expiry time so if the client loses the connection to the server and than it tries to reconnect it should acquire a new token. That is not possible currently since the token is stored in auth_info and reused for every connection.

      The problem can be solved if we allow the client to register a callback for authentication instead a static token. This can be a callback with an argument which passes the current host string. The zookeeper client code could call this callback before it sends the authentication info to the server to get a fresh server specific token.

      This would solve our problem with the kerberos authentication and also could be used for other more dynamic authentication schemes.

      The solution could be generalization also for the java client as well.

      1. ZOOKEEPER-896.patch
        8 kB
        Mahadev konar
      2. NIOServerCnxn.patch
        8 kB
        Eugene Koontz
      3. ZOOKEEPER-896.patch
        8 kB
        Botond Hejj
      4. ZOOKEEPER-896.patch
        8 kB
        Botond Hejj

        Issue Links

          Activity

          Michi Mutsuzaki made changes -
          Fix Version/s 3.5.2 [ 12331981 ]
          Fix Version/s 3.6.0 [ 12326518 ]
          Fix Version/s 3.5.1 [ 12326786 ]
          Patrick Hunt made changes -
          Fix Version/s 3.5.1 [ 12326786 ]
          Fix Version/s 3.5.0 [ 12316644 ]
          Mahadev konar made changes -
          Fix Version/s 3.5.0 [ 12316644 ]
          Fix Version/s 3.4.0 [ 12314469 ]
          Mahadev konar made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Mahadev konar made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Mahadev konar made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Mahadev konar made changes -
          Attachment ZOOKEEPER-896.patch [ 12466338 ]
          Botond Hejj made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Affects Version/s 3.3.2 [ 12315108 ]
          Affects Version/s 3.3.1 [ 12314846 ]
          Eugene Koontz made changes -
          Link This issue is related to ZOOKEEPER-938 [ ZOOKEEPER-938 ]
          Eugene Koontz made changes -
          Attachment NIOServerCnxn.patch [ 12460214 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12459986 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12459249 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12459775 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12459236 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12459249 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12457157 ]
          Botond Hejj made changes -
          Attachment ZOOKEEPER-896.patch [ 12459236 ]
          Patrick Hunt made changes -
          Assignee Botond Hejj [ botond.hejj ]
          Botond Hejj made changes -
          Field Original Value New Value
          Attachment ZOOKEEPER-896.patch [ 12457157 ]
          Botond Hejj created issue -

            People

            • Assignee:
              Botond Hejj
              Reporter:
              Botond Hejj
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:

                Development