Natalie Klestrup Röijezon
Natalie Klestrup Röijezon
Once connected to the bootstrap service, yes, you'll get all brokers. It's mostly a matter of consistency and "maaaybe this will be useful in some odd networking context, somewhere?".
Some integration tests are currently failing due to a missing `spec.image`, not sure if it's related to https://stackable-workspace.slack.com/archives/C02M1RE8S0Z/p1712274080585689.
Turns out the test failures were due to stale beku work files. Clearing `tests/_work` made them pass.
IMO it's fine to end up shipping a patch for now, but we should try to get it upstreamed.
The question here is.. do we just want to disable the mostly-useless old behaviour (verifying a strong identity (X509) against a weak one (IP/DNS)), or do we want to do...
Having looked through the codebase a bit more, authz seems like a somewhat bigger change. For now, I'd prioritize disabling the DNS-based client hostname verification, and then break out authz...
Created #820 for the latter.
Turns out, enabling "FIPS mode" on ZK 3.8.2+ already "solves" this, and it is on by default on 3.9.0+. I've submitted a PR for a more specific toggle as https://github.com/apache/zookeeper/pull/2173....
Closing since FIPS mode is available in all our supported versions, and on by default in all non-deprecated versions. Moved the followup work into #829 instead.
Moving this into the voting phase.