You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "AntonioS (JIRA)" <ji...@apache.org> on 2013/07/26 10:41:48 UTC

[jira] [Created] (ZOOKEEPER-1736) Zookeeper SASL authentication allows anonymus users to log in

AntonioS created ZOOKEEPER-1736:
-----------------------------------

             Summary: Zookeeper SASL authentication allows anonymus users to log in
                 Key: ZOOKEEPER-1736
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
             Project: ZooKeeper
          Issue Type: Bug
          Components: server
         Environment: Development
            Reporter: AntonioS


Hello.
I have configured Zookeeper to provide SASL authentication, using ordinary username and password stored in the JAAS.conf as a DigestLoginModule
I have created a simple jaas.conf file:

Server {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    user_admin="admin";
};
Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="admin"
    password="admin";
};

I have the zoo.cfg correctly configured for security, adding the following:
requireClientAuthScheme=sasl
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
zookeeper.allowSaslFailedClients=false

And I also have the java.env file:
export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"


Everything looks good. If I put the right username and password I authenticate, otherwise not and I get an exception.
The problem is when I don’t put any username and password at all, zookeeper allows me to go through.
I tried different things but nothing stops anonymous users to log in.
I was looking at the source code,  in particular the  ZookeeperServer.java, this method:

    public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException {

The section below:

} else {
            if (h.getType() == OpCode.sasl) {
                Record rsp = processSasl(incomingBuffer,cnxn);
                ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
                cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what is it?
            }
            else {
                Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
                  h.getType(), incomingBuffer, cnxn.getAuthInfo());
                si.setOwner(ServerCnxn.me);
                submitRequest(si);
            }
        }

The else flow  appears to just forward any anonymous request  to the handler, without attempting any authentication.

Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
Thanks

Antonio




--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira