How secure is Zookeeper digest auth?

[Jan Høydahl <ja...@cominvent.com>]

Hi,

We plan to enable (digest) authentication and ACL with Zookeeper to improve security.
However, we have not been able to answer the question of how secure such a setup will be,
given that ZK 3.4.x TCP communication is unencrypted.

So, do anyone know if ZK sends the password in cleartext over the network, so that
anyone who can sniff the network can also pick up the password, and connect and read/write
nodes in ZK?

We'll of course add all the firewall and IP filtering we can. Do you have any other
tricks you use to increase ZK security?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

Re: How secure is Zookeeper digest auth?

[Jan Høydahl <ja...@cominvent.com>]

Thanks. Solr uses Zk 3.4.x with no support for TLS. Zk communication is over low level binary TCP. I’m aware that if/when we get 3.5.x support we should deploy SSL.

My question is, how do folks secure their current zk and is there a way to circumvent the lack of SSL? I don’t care if people can read the traffic but I do care if the auth credentials can easily be sniffed and replayed, thus enable write acces to zk, which lets you disable all Solr security.

Jan

> 16. sep. 2018 kl. 22:45 skrev Christopher Schultz <ch...@christopherschultz.net>:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Jan,
> 
>> On 9/16/18 16:22, Jan Høydahl wrote:
>> We plan to enable (digest) authentication and ACL with Zookeeper to
>> improve security.
> 
> Can you be more explicit? There is HTTP DIGEST auth and then there are
> "digested" (hashed) passwords for the user-database. The former is
> secure on the wire and the other one is wire-agnostic.
> 
>> However, we have not been able to answer the question of how secure
>> such a setup will be, given that ZK 3.4.x TCP communication is
>> unencrypted.
>> 
>> So, do anyone know if ZK sends the password in cleartext over the
>> network, so that anyone who can sniff the network can also pick up
>> the password, and connect and read/write nodes in ZK?
>> 
>> We'll of course add all the firewall and IP filtering we can. Do
>> you have any other tricks you use to increase ZK security?
> 
> I'm not using ZK (yet) so this may be supremely ignorant since I don't
> know what protocol it uses to communicate: I would recommend using
> mutual-TLS authentication everywhere. I have just deployed such a
> system (single-node, no cluster/ZK) and all of the communication for
> both admin and querying are over client-authenticated TLS.
> 
> Even if an attacker gets onto the box where Solr is running, they
> cannot attack it without also breaking filesystem privileges or
> exploiting the users who have access to the Solr client key stores.
> 
> (I just did a little Googling and it looks like only ZK 3.5+ has TLS
> available. At any rate, that should be your target for the future if
> you really want a secure environment.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluewOgACgkQHPApP6U8
> pFiE1g/8CiRxFySxCPZRU+OdGaw5JjtMNGs3oBDaf75LIQYDnsXAU9wJFjaEKymD
> snceusjikN85XyPIFBWLhbWvrdjKhJxm29q8xqqnwTkY1WmGis53Es9NHyT/I1UX
> dY3UGAbf148+ZR6NtCFDQPVQtKKfHqE/VAl2bJzMARTC1nPS3v3mtgKEbrAC5ZqX
> WMMkb6pOFH58Yj7jeEdHi/y8MKEOeXV3MynWrsSRqGsJsG4Ms55pdBvWtZmIZR+c
> 0sM4d7zUl18/JjP82YvhhHvHW0IQL+TGKLE1s22p6JRrMU9fzcxNoD9b1r9WORGl
> UixQETpBPkKw+VWXBesTxTNkprddMH6oGzm2KkWb9zOH0BehF/ChjB1W0vnC7RXB
> lEKWdNkwbLfrP1r+plpy2aVc3PV0lw3jsJdxLf3tMTEPgzeU6wweiJR+YMW6J0iS
> 4TWFouuL6yGSY7jT99lW+CmBfKHGEXoUlrxS2WSM9BvYuV8pJvzVuEkb1PmXUQdI
> rgQIW30Vk0jDwS6SMxdOy/TkbCDAV9dFqsqmYFTSN9W8jBdSx9RevOPnJyVnvCvI
> qq96sTqhPa0iSHYWWK5PAzZAvfbcRmohcut/1ZWml1pNZlZzBT0QGQUJm9CzXfS7
> v6FNf7PrpIiqOlai1Js67Fm6QrWzjGPVhDl474Q1tAG1rFU2cSM=
> =U0Fj
> -----END PGP SIGNATURE-----

Re: How secure is Zookeeper digest auth?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jan,

On 9/16/18 16:22, Jan Høydahl wrote:
> We plan to enable (digest) authentication and ACL with Zookeeper to
> improve security.

Can you be more explicit? There is HTTP DIGEST auth and then there are
"digested" (hashed) passwords for the user-database. The former is
secure on the wire and the other one is wire-agnostic.

> However, we have not been able to answer the question of how secure
> such a setup will be, given that ZK 3.4.x TCP communication is
> unencrypted.
> 
> So, do anyone know if ZK sends the password in cleartext over the
> network, so that anyone who can sniff the network can also pick up
> the password, and connect and read/write nodes in ZK?
> 
> We'll of course add all the firewall and IP filtering we can. Do
> you have any other tricks you use to increase ZK security?

I'm not using ZK (yet) so this may be supremely ignorant since I don't
know what protocol it uses to communicate: I would recommend using
mutual-TLS authentication everywhere. I have just deployed such a
system (single-node, no cluster/ZK) and all of the communication for
both admin and querying are over client-authenticated TLS.

Even if an attacker gets onto the box where Solr is running, they
cannot attack it without also breaking filesystem privileges or
exploiting the users who have access to the Solr client key stores.

(I just did a little Googling and it looks like only ZK 3.5+ has TLS
available. At any rate, that should be your target for the future if
you really want a secure environment.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluewOgACgkQHPApP6U8
pFiE1g/8CiRxFySxCPZRU+OdGaw5JjtMNGs3oBDaf75LIQYDnsXAU9wJFjaEKymD
snceusjikN85XyPIFBWLhbWvrdjKhJxm29q8xqqnwTkY1WmGis53Es9NHyT/I1UX
dY3UGAbf148+ZR6NtCFDQPVQtKKfHqE/VAl2bJzMARTC1nPS3v3mtgKEbrAC5ZqX
WMMkb6pOFH58Yj7jeEdHi/y8MKEOeXV3MynWrsSRqGsJsG4Ms55pdBvWtZmIZR+c
0sM4d7zUl18/JjP82YvhhHvHW0IQL+TGKLE1s22p6JRrMU9fzcxNoD9b1r9WORGl
UixQETpBPkKw+VWXBesTxTNkprddMH6oGzm2KkWb9zOH0BehF/ChjB1W0vnC7RXB
lEKWdNkwbLfrP1r+plpy2aVc3PV0lw3jsJdxLf3tMTEPgzeU6wweiJR+YMW6J0iS
4TWFouuL6yGSY7jT99lW+CmBfKHGEXoUlrxS2WSM9BvYuV8pJvzVuEkb1PmXUQdI
rgQIW30Vk0jDwS6SMxdOy/TkbCDAV9dFqsqmYFTSN9W8jBdSx9RevOPnJyVnvCvI
qq96sTqhPa0iSHYWWK5PAzZAvfbcRmohcut/1ZWml1pNZlZzBT0QGQUJm9CzXfS7
v6FNf7PrpIiqOlai1Js67Fm6QrWzjGPVhDl474Q1tAG1rFU2cSM=
=U0Fj
-----END PGP SIGNATURE-----