apache
ZOOKEEPER-4753: zookeeper-server: Improvement: Explicit handling of D… …IGEST-MD5 vs GSSAPI in quorum auth for branch 3.6
ZOOKEEPER-4753: zookeeper-server: Improvement: Explicit handling of D… …IGEST-MD5 vs GSSAPI in quorum auth
Before this, the SASL-based quorum authorizer did not explicitly distinguish between the DIGEST-MD5 and GSSAPI mechanisms: it was simply relying on NameCallback and PasswordCallback for authentication with the former and examining Kerberos principals in AuthorizeCallback for the latter.
It turns out that some SASL/DIGEST-MD5 configurations cause authentication and authorization IDs not to match the expected format, and the DIGEST-MD5-based portions of the quorum test suite to fail with obscure errors. (They can be traced to failures to join the quorum, but only by looking into detailed logs.)
This patch uses the login module name to determine whether DIGEST-MD5 or GSSAPI is used, and relaxes the authentication ID check for the former. As a cleanup, it keeps the password-based credential map empty when Kerberos principals are expected. It finally adapts a test, and adds a new one, ensuring "weirdly-shaped" credentials only cause authentication failures in the GSSAPI case.
