...
ISSUE: On ZookKeeper the SASL mechanism is decided upon the type of JAAS Subject, this is very simply from admin to be configured. We should make the configuration more explicit, something like a configuration property sasl.mech=GSSAPI|DIGEST-M5.....
SSL/TLS Support
The initial proposal is enable TLS support using the StartTLS mechanism, this way Bookie will continue to advertise only one network endpoint, which in turn is effectively used as Bookie ID.
Having a Bookie with more than one endpoint will need more metadata refactoring, the StartTLS proposal let us skip this change for this version.
In order to support TLS we have to implement TLS comunications on Netty 3 (maybe on Netty 4) and add a new protocol message to implement the StartTLS.
We can implement an AuthPlugin which will use the Certificate sent from the client and attach it to the server-side connection peer.
We can add an optional scheduled task which checks certificate validity, this can be done inside the AuthPlugin, but the AuthPlugin will need to hold a reference to an "handle" to the underlying connection, in order to shutdown it in case of certificate expiration
In order to support such a Connection Handle the PeerInfo structure passed to the AuthPlugin should be changed and become an active object
Code Block |
---|
class ServerSideConnectionHandle {
SocketAddress remoteAddress;
List<Object> principals;
void closeConnection();
} |
The SSL Authentication plugin will retain references to every authenticated connection and we need to be handle carefully such references in order not to get into resource leaks
TBD
Action
Jira | ||||||
---|---|---|---|---|---|---|
|
...