ZOOKEEPER-1112: Do not specify QOP for the SASL server

The explicit QOP setting had been added with a comment specifying that Sasl.QOP="auth" was not set by the 1.6 JRE. More recent JREs, such as 1.8, properly set QOP to "auth" by default, and both Cyrus SASL and Perl's Authen::SASL have been verified to be okay with it. The patch also included 'auth-conf' and 'auth-int' in the preferences list; the reason for that is unclear. It also seems incorrect, as the wire protocol does not provide checksums nor encryption. (The plan is to carry everything over TLS anyway; perhaps QOP should be set to that triple when TLS is active?) apache#1054 (comment)
ztzg · Aug 15, 2019 · 2835daa · 2835daa
1 parent 2cf36d0
commit 2835daa
Showing 1 changed file with 2 additions and 9 deletions.
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -18,8 +18,6 @@
 
 package org.apache.zookeeper.util;
 
-import java.util.HashMap;
-
 import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
@@ -155,11 +153,6 @@ public SaslClient run() throws SaslException {
     public static SaslServer createSaslServer(final Subject subject,
             final String protocol, final String serverName,
             final CallbackHandler callbackHandler, final Logger LOG) {
-        // required by c client api - Sasl.QOP="auth" is not set
-        // by default although stated in javadoc (Sun JRE 1.6.0_26-b03)
-        HashMap<String, Object> props = new HashMap<String, Object>();
-        props.put(Sasl.QOP, "auth-conf,auth-int,auth");
-
         if (subject != null) {
             // server is using a JAAS-authenticated subject: determine service
             // principal name and hostname from zk server's subject.
@@ -238,7 +231,7 @@ public SaslServer run() {
                                             SaslServer saslServer;
                                             saslServer = Sasl.createSaslServer(
                                                     mech, servicePrincipalName,
-                                                    serviceHostname, props,
+                                                    serviceHostname, null,
                                                     callbackHandler);
                                             return saslServer;
                                         } catch (SaslException e) {
@@ -260,7 +253,7 @@ public SaslServer run() {
                 // TODO: use 'authMech=' value in zoo.cfg.
                 try {
                     SaslServer saslServer = Sasl.createSaslServer("DIGEST-MD5",
-                            protocol, serverName, props, callbackHandler);
+                            protocol, serverName, null, callbackHandler);
                     return saslServer;
                 } catch (SaslException e) {
                     LOG.error("Zookeeper Quorum member failed to create a SaslServer to interact with a client during session initiation", e);