You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/11/23 13:08:49 UTC

[GitHub] [pulsar] yanshuchong opened a new issue #8670: Security issues:pulsar create zookeeper path、data without ACL

yanshuchong opened a new issue #8670:
URL: https://github.com/apache/pulsar/issues/8670


   any suggestion to avoid the problem?
   
   SSL two-way authentication？
   iptables?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] yanshuchong edited a comment on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

yanshuchong edited a comment on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732272652


   @eolivelli yes ,I open zkEnableSecurity in bookkeeper.and your are very great in zookeeper and bookkeeper,after do some research of pulsar ,I can just only use SASL/kerberos without TLS，but kerberos will bring in a module of KDC, i like to make our system structure as simple as it can with shorter latency(TLS is our last choose,we can suggest producer encrypt or sign their message if sensitive),  is there any possible to support like SASL/SCRAM-SHA256/512 in zookeeper、bookeeper、pulsar broker . just like what kafka support，we can keep user auth info in zookeeper 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] yanshuchong commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

yanshuchong commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732279666


   @eolivelli  awesome. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732276774


   As far as I know there is not support for SASL/SCRAM-SHA256/512 in the stack, at least for ZK and BK.
   It would be great to see such kind of implementation.
   Like using https://github.com/ongres/scram (the library used in PostGRESQL JDBC Driver)
   
   Unfortunately I don't have time, but the stack is pluggable so making an implementation MAY be possible 
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] yanshuchong commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

yanshuchong commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732263500


   @eolivelli  thanks for you reply. i would like to see ACLs assigned to the znode of pulsar zookeeper ,i will open acl in bookkeeper also.
   I am considering replacing Kafka with pulsar,because the structure of pulsar separate  computing and storage , but my company's security specifications need to be based on the untrusted authentication status of the intranet,we need make sure every request should have their own user auth,user permission check to avoid authentication  bypass and unauthorized access
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732266537


   Regarding BookKeeper we already have a "zkEnableSecurity" configuration option.
   Put it is to be set on BookKeeper client created by ManagedLedgerFactoryImpl, so that part would be easier to implement


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732155206


   @yanshuchong 
   if you use ZooKeeper 3.6.x servers you can simply require that every client is authenticated
   see:
   https://zookeeper.apache.org/doc/r3.6.0/zookeeperAdmin.html#sc_authOptions
   
   
   > zookeeper.sessionRequireClientSASLAuth : (Java system property only: zookeeper.sessionRequireClientSASLAuth) New in 3.6.0: When set to true, ZooKeeper server will only accept connections and requests from clients that have authenticated with server via SASL. Clients that are not configured with SASL authentication, or configured with SASL but failed authentication (i.e. with invalid credential) will not be able to establish a session with server. A typed error code (-124) will be delivered in such case, both Java and C client will close the session with server thereafter, without further attempts on retrying to reconnect.
   > 
   > By default, this feature is disabled. Users who would like to opt-in can enable the feature by setting zookeeper.sessionRequireClientSASLAuth to true.
   > 
   > This feature overrules the zookeeper.allowSaslFailedClients option, so even if server is configured to allow clients that fail SASL authentication to login, client will not be able to establish a session with server if this feature is enabled.
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732197615


   @yanshuchong  do you think we can close this issue or you would like to see ACLs assigned to every znode ?
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] xiaotongwang1 commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

xiaotongwang1 commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-790276682


   @eolivelli @jiazhai @codelipenghui we had modify the source code base on 2.7.0 and it test and work fine in our system ,can i commit a pr to fix this problem with adding a judgment condition.
   
   like:
   
   if ("true".equals(System.getProperty("pulsar.zkEnableSecurity", "false"))) {
       localZk().create(path, content, ZooDefs.Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT);
   } else {
       localZk().create(path, content, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
   }
   
   Why not wrapping all zookeeper access to a common interface ?
   it is a big work and i see a new plan ：https://github.com/apache/pulsar/projects/10 ，i think it will change in this plan
   
   ===========================
   
   we also extend pulsar broker SASL/SCRAM-SHA256 and bookie SASL/SCRAM-SHA256
   
   Why？
   1、SASL: bookkeeper and pulsar broker support SASL/Kerberos , need introduced a new part KDC ,it will make architecture more complex,and popular solution (MIT Kerberos) is under US EAR control
   2、OAuth 2.0: it is better use with TLS to avoid token leakage if client and server not in a trust network . 
   
   
   for bookie : No need ACL control for different client ,Because we only got one client (pulsar broker),so we store keys（salt、store key、serverkey ）after encrypted in bookkeeper.conf
   
   for pulsar TCP client interface (6650): we need ACL control for  different client to access different topic ,we need support add user/password dynamics,so we store keys（salt、store key、serverkey ）after encrypted in zookeeper (like kafka)
   
   for pulsar HTTP admin interface(8080): single http request can not finish a sasl/scram process,so we implement it by OAuth 2.0 client credentials
   
   can i commit a pr for SASL/SCRAM-sha256？


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732155554


   Pulsar 2.5.x onwards works with ZooKeeper servers 3.6.x, I saw it running in production


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] yanshuchong commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

yanshuchong commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732167498


   thanks a lot @eolivelli ,zookeeper.sessionRequireClientSASLAuth only fix the problem of user auth ,but permission limit still a problem ,but sessionRequireClientSASLAuth  still can intercept most of Illegal request


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] yanshuchong commented on issue #8670: Security issues:pulsar create zookeeper path、data without ACL

Posted by GitBox <gi...@apache.org>.

yanshuchong commented on issue #8670:
URL: https://github.com/apache/pulsar/issues/8670#issuecomment-732272652


   @eolivelli yes ,I open zkEnableSecurity in bookkeeper.and your are very great in zookeeper and bookkeeper,after do some research of pulsar ,I can just only use SASL/kerberos with TLS，but kerberos will bring in a module of KDC, i like to make our system structure as simple as it can with shorter latency(TLS is our last choose,we can suggest producer encrypt or sign their message if sensitive),  is there any possible to support like SASL/SCRAM-SHA256/512 in zookeeper、bookeeper、pulsar broker . just like what kafka support，we can keep user auth info in zookeeper 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org