+
Jaewoong Choi 2012-11-21, 19:46
+
Flavio Junqueira 2012-11-22, 21:23
+
Jaewoong Choi 2012-11-26, 05:07
-
Re: Authentication mechanismMichi Mutsuzaki 2012-11-26, 19:11
Hi Jaewoong,
>>> 1. Is the above scenario true?
Yes. Initially the root znode ("/") is open to world:anyone. You need
to set the permission as a part of your bootstrap process.
>>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
No. I think people usually set connection level ACLs outside of zookeeper.
--Michi
On Sun, Nov 25, 2012 at 9:07 PM, Jaewoong Choi <[EMAIL PROTECTED]> wrote:
> I believe I've read it several times. I guess you refers to the following statement:
> "... When a client connects to ZooKeeper and authenticates itself, ZooKeeper associates all the ids that correspond to a client with the clients connection. "
>
> From my understanding based on my real tests, client authenticates by calling ZooKeeper#setAuthInfo. In other words, authentication never happens if client bypass authentication #setAuthInfo. Could you please confirm and clarify? Haven't you been able to reproduce the scenario I described below?
>
> Thanks,
> Jaewoong
>
> On Nov 22, 2012, at 1:23 PM, Flavio Junqueira wrote:
>
>> Hi Jaewoong,
>>
>> I'm not sure if you have had a chance to look at the documentation:
>>
>> http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
>>
>> My understanding is that a client authenticates when it connects.
>>
>> -Flavio
>>
>> On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:
>>
>>> Hi,
>>>
>>> I got a question regarding ZooKeeper's authentication mechanism. Let me describe a scenario first.
>>>
>>> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
>>> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
>>> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!! e.g. It can create znodes under "/" and etc.
>>>
>>> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.
>>>
>>> Here come some questions.
>>>
>>> 1. Is the above scenario true?
>>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
>>>
>>> Regards,
>>> Jaewoong
>>
>
>>> 1. Is the above scenario true?
Yes. Initially the root znode ("/") is open to world:anyone. You need
to set the permission as a part of your bootstrap process.
>>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
No. I think people usually set connection level ACLs outside of zookeeper.
--Michi
On Sun, Nov 25, 2012 at 9:07 PM, Jaewoong Choi <[EMAIL PROTECTED]> wrote:
> I believe I've read it several times. I guess you refers to the following statement:
> "... When a client connects to ZooKeeper and authenticates itself, ZooKeeper associates all the ids that correspond to a client with the clients connection. "
>
> From my understanding based on my real tests, client authenticates by calling ZooKeeper#setAuthInfo. In other words, authentication never happens if client bypass authentication #setAuthInfo. Could you please confirm and clarify? Haven't you been able to reproduce the scenario I described below?
>
> Thanks,
> Jaewoong
>
> On Nov 22, 2012, at 1:23 PM, Flavio Junqueira wrote:
>
>> Hi Jaewoong,
>>
>> I'm not sure if you have had a chance to look at the documentation:
>>
>> http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
>>
>> My understanding is that a client authenticates when it connects.
>>
>> -Flavio
>>
>> On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:
>>
>>> Hi,
>>>
>>> I got a question regarding ZooKeeper's authentication mechanism. Let me describe a scenario first.
>>>
>>> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
>>> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
>>> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!! e.g. It can create znodes under "/" and etc.
>>>
>>> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.
>>>
>>> Here come some questions.
>>>
>>> 1. Is the above scenario true?
>>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
>>>
>>> Regards,
>>> Jaewoong
>>
>
