Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper authentication enforcement. #1500

Closed
wants to merge 5 commits into from
Closed

ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper authentication enforcement. #1500

wants to merge 5 commits into from

Conversation

arshadmohammad
Copy link
Contributor

Added enforce.auth.enabled and enforce.auth.scheme to enforce any authentication scheme.

@arshadmohammad
Copy link
Contributor Author

As enforcing the SASL authentication scheme feature is already released. Keeping the feature as it is. Provided generalization on top of it

@arshadmohammad arshadmohammad mentioned this pull request Oct 13, 2020
Closed
hanm
hanm reviewed Oct 14, 2020
View reviewed changes
Copy link
Contributor

@hanm hanm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

CI build fails due to check style failure. Let's fix these to get a green build.

zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java Outdated Show resolved Hide resolved
zookeeper-server/src/test/java/org/apache/zookeeper/EnforceAuthenticationTest.java Outdated Show resolved Hide resolved
anmolnar
anmolnar approved these changes Oct 14, 2020
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff, lgtm.
Just a few nitpicks.

zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md Outdated Show resolved Hide resolved
zookeeper-server/src/test/java/org/apache/zookeeper/EnforceAuthenticationTest.java Outdated Show resolved Hide resolved
zookeeper-server/src/test/java/org/apache/zookeeper/EnforceAuthenticationTest.java Outdated Show resolved Hide resolved
@arshadmohammad
Copy link
Contributor Author

One ci feedback is pending from long time. Reopening the PR to trigger the ci again.

eolivelli
eolivelli approved these changes Oct 15, 2020
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !
very useful

zookeeper-server/src/test/java/org/apache/zookeeper/EnforceAuthenticationTest.java Outdated Show resolved Hide resolved
@eolivelli
Copy link
Contributor

@arshadmohammad in order to force Jenkins to restart the job click on the click on the link "Details",login with your Apache id/password and click on the button to restart the job
https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-precommit-github-pr/detail/PR-1500/2/pipeline/

ztzg
ztzg approved these changes Oct 15, 2020
View reviewed changes
Copy link
Contributor

@ztzg ztzg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally LGTM, but we have an existing use-case which requires multiple schemes. (I am willing to contribute such a change in a subsequent PR, however.)

zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md Outdated Show resolved Hide resolved
@hanm
Copy link
Contributor

hanm commented Oct 19, 2020

There is one C unit test failure reported by https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-precommit-github-pr/detail/PR-1500/4/pipeline

`[2020-10-16T21:54:25.858Z] [exec] /home/jenkins/jenkins-home/workspace/eper-precommit-github-pr_PR-1500/zookeeper-client/zookeeper-client-c/tests/TestSASLAuth.cc:120: Assertion: assertion failed [Expression: ctx.waitForConnected(zk)]

[2020-10-16T21:54:25.858Z] [exec] Failures !!!

[2020-10-16T21:54:25.858Z] [exec] Run: 89 Failure total: 1 Failures: 1 Errors: 0

[2020-10-16T21:54:25.858Z] [exec] FAIL: zktest-mt

[2020-10-16T21:54:25.858Z] [exec] ==========================================

[2020-10-16T21:54:25.858Z] [exec] 1 of 2 tests failed

[2020-10-16T21:54:25.858Z] [exec] Please report to user@zookeeper.apache.org

[2020-10-16T21:54:25.858Z] [exec] ==========================================

[2020-10-16T21:54:25.858Z] [exec] Makefile:1850: recipe for target 'check-TESTS' failed

[2020-10-16T21:54:25.858Z] [exec] make[1]: Leaving directory '/home/jenkins/jenkins-home/workspace/eper-precommit-github-pr_PR-1500/zookeeper-client/zookeeper-client-c/target/c'

[2020-10-16T21:54:25.858Z] [exec] Makefile:2106: recipe for target 'check-am' failed

[2020-10-16T21:54:25.858Z] [exec] make[1]: *** [check-TESTS] Error 1

[2020-10-16T21:54:25.858Z] [exec] make: *** [check-am] Error 2`

@arshadmohammad do you mind check if that's a flaky test? Once we clear this I will merge this PR. I am also triggering another build to see if we can get a green build.

@ztzg
Copy link
Contributor

ztzg commented Oct 19, 2020

Hi @arshadmohammad,

Addressed comments, Added support to configure multiple authentication schemes to enforce authentication

Fantastic; thanks! (Though I did not mean to imply you had to do the job!)

@hanm wrote:

There is one C unit test failure reported by https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-precommit-github-pr/detail/PR-1500/4/pipeline

`[2020-10-16T21:54:25.858Z] [exec] /home/jenkins/jenkins-home/workspace/eper-precommit-github-pr_PR-1500/zookeeper-client/zookeeper-client-c/tests/TestSASLAuth.cc:120: Assertion: assertion failed [Expression: ctx.waitForConnected(zk)]

@arshadmohammad do you mind check if that's a flaky test?

Not due to flakiness: the test used to work because the old sessionRequireClientSASLAuth flag was able to do its job without having a SASL provider configured (even though the combination makes no sense in practice). Suggested fix:

--- a/zookeeper-client/zookeeper-client-c/tests/zkServer.sh
+++ b/zookeeper-client/zookeeper-client-c/tests/zkServer.sh
@@ -128,9 +128,9 @@ PROPERTIES="$EXTRA_JVM_ARGS -Dzookeeper.extendedTypesEnabled=true -Dznode.contai
 if [ "x$1" == "xstartRequireSASLAuth" ]
 then
     PROPERTIES="-Dzookeeper.sessionRequireClientSASLAuth=true $PROPERTIES"
+    PROPERTIES="$PROPERTIES -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider"
     if [ "x$2" != "x" ]
     then
-        PROPERTIES="$PROPERTIES -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider"
         PROPERTIES="$PROPERTIES -Djava.security.auth.login.config=$2"
     fi
     if [ "x$3" != "x" ]

@arshadmohammad
Copy link
Contributor Author

Not due to flakiness: the test used to work because the old sessionRequireClientSASLAuth flag was able to do its job without
having a SASL provider configured (even though the combination makes no sense in practice). Suggested fix:
Thanks @ztzg for analyzing and suggesting the fix. Updated the PR

@hanm
Copy link
Contributor

hanm commented Oct 21, 2020

got a green build now, merging.

@asfgit asfgit closed this in 1af3dcc Oct 21, 2020
RokLenarcic pushed a commit to RokLenarcic/zookeeper that referenced this pull request Aug 31, 2022
@arshadmohammad @RokLenarcic
ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper…
172a700 
… authentication enforcement.

Added enforce.auth.enabled and enforce.auth.scheme to enforce any authentication scheme.

Author: Mohammad Arshad <arshad@apache.org>

Reviewers: Michael Han <hanm@apache.org>, Damien Diederen <dd@crosstwine.com>, Enrico Olivelli <eolivelli@gmail.com>, Andor Molnár <andor@apache.org>

Closes apache#1500 from arshadmohammad/ZOOKEEPER-3561-master
RokLenarcic pushed a commit to RokLenarcic/zookeeper that referenced this pull request Aug 31, 2022
@arshadmohammad @RokLenarcic
ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper…
dd4497d 
… authentication enforcement.

Added enforce.auth.enabled and enforce.auth.scheme to enforce any authentication scheme.

Author: Mohammad Arshad <arshad@apache.org>

Reviewers: Michael Han <hanm@apache.org>, Damien Diederen <dd@crosstwine.com>, Enrico Olivelli <eolivelli@gmail.com>, Andor Molnár <andor@apache.org>

Closes apache#1500 from arshadmohammad/ZOOKEEPER-3561-master
RokLenarcic pushed a commit to RokLenarcic/zookeeper that referenced this pull request Aug 31, 2022
@arshadmohammad @RokLenarcic
ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper…
9499257 
… authentication enforcement.

Added enforce.auth.enabled and enforce.auth.scheme to enforce any authentication scheme.

Author: Mohammad Arshad <arshad@apache.org>

Reviewers: Michael Han <hanm@apache.org>, Damien Diederen <dd@crosstwine.com>, Enrico Olivelli <eolivelli@gmail.com>, Andor Molnár <andor@apache.org>

Closes apache#1500 from arshadmohammad/ZOOKEEPER-3561-master
RokLenarcic pushed a commit to RokLenarcic/zookeeper that referenced this pull request Sep 3, 2022
@arshadmohammad @RokLenarcic
ZOOKEEPER-3561: Generalize target authentication scheme for ZooKeeper…
56dadc5 
… authentication enforcement.

Added enforce.auth.enabled and enforce.auth.scheme to enforce any authentication scheme.

Author: Mohammad Arshad <arshad@apache.org>

Reviewers: Michael Han <hanm@apache.org>, Damien Diederen <dd@crosstwine.com>, Enrico Olivelli <eolivelli@gmail.com>, Andor Molnár <andor@apache.org>

Closes apache#1500 from arshadmohammad/ZOOKEEPER-3561-master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ztzg ztzg ztzg approved these changes

@eolivelli eolivelli eolivelli approved these changes

@hanm hanm hanm approved these changes

@anmolnar anmolnar anmolnar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@arshadmohammad @eolivelli @hanm @ztzg @anmolnar