You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Ramkumar (JIRA)" <ji...@apache.org> on 2017/10/23 15:42:00 UTC
[jira] [Commented] (ZOOKEEPER-1736) Zookeeper SASL authentication
allows anonymus users to log in
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215318#comment-16215318 ]
Ramkumar commented on ZOOKEEPER-1736:
-------------------------------------
I am also curious to know why this is not an issue /defect. I am trying to protect zookeeper in kubernetes cluster from other users to access zookeeper. I tried to set up SASL set up in zookeeper and set a user in /broker node so that Kafka user wont be able to connect to zookeeper if they dont specify the right user. However if Kafka still makes connection successfully if they dont have "client" configuration set up. This means anonymous connection is still allowed to connect and use the zookeeper. did I miss some thing?
> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>
> Key: ZOOKEEPER-1736
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Environment: Development
> Reporter: AntonioS
>
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary username and password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_admin="admin";
> };
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="admin"
> password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I authenticate, otherwise not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper allows me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code, in particular the ZookeeperServer.java, this method:
> public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException {
> The section below:
> } else {
> if (h.getType() == OpCode.sasl) {
> Record rsp = processSasl(incomingBuffer,cnxn);
> ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
> cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what is it?
> }
> else {
> Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
> h.getType(), incomingBuffer, cnxn.getAuthInfo());
> si.setOwner(ServerCnxn.me);
> submitRequest(si);
> }
> }
> The else flow appears to just forward any anonymous request to the handler, without attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
> Thanks
> Antonio
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)