You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by William Jardine <wi...@gmail.com> on 2018/07/18 14:36:59 UTC

ZK ACL question

Hey guys,

I'm using ZooKeeper and am curious about how it stores its ACL identities
created with the digest scheme, and am a bit confused by the website.
Hoping you can help me.

For example, if I do:#

   - addauth digest testuser1:password1
   - setAcl /testnode auth:testuser1:password1:w

This stores the following as the ACL identity for testnode:
'testuser1:AWB1i+VKSJP/aUdT1QXi+A4j32o=

My question is, what is this hash? The website (
https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_ZooKeeperAccessControl)
talks about both MD5 and SHA1; I'm confused as to which it's using.

I'm also a bit confused about which part it's hashing. I believe it's one
of the following combinations:

   - base64(sha1sum("username:password")
   - base64(sha1sum("password")
   - base64(md5sum("username:password")
   - base64(md5sum("password")

But I'm unable to replicate the hash given above. I want to verify my
passwords are stored in ZK as securely as possible. Are you able to give me
some more info on how this process works and what scheme it uses? Is it
doing some salting as well? Any info would be much appreciated.

Cheers,
William

Re: ZK ACL question

Posted by Brian Nixon <br...@gmail.com>.

Hi William,

It's been a while since I've looked at this. You could double-check against
how the kazoo client is handling encoding ->
https://github.com/python-zk/kazoo/blob/master/kazoo/security.py#L61 .

Does this help?

-Brian


On Wed, Jul 18, 2018 at 7:36 AM, William Jardine <williamjardine94@gmail.com
> wrote:

> Hey guys,
>
> I'm using ZooKeeper and am curious about how it stores its ACL identities
> created with the digest scheme, and am a bit confused by the website.
> Hoping you can help me.
>
> For example, if I do:#
>
>    - addauth digest testuser1:password1
>    - setAcl /testnode auth:testuser1:password1:w
>
> This stores the following as the ACL identity for testnode:
> 'testuser1:AWB1i+VKSJP/aUdT1QXi+A4j32o=
>
> My question is, what is this hash? The website (
> https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_
> ZooKeeperAccessControl)
> talks about both MD5 and SHA1; I'm confused as to which it's using.
>
> I'm also a bit confused about which part it's hashing. I believe it's one
> of the following combinations:
>
>    - base64(sha1sum("username:password")
>    - base64(sha1sum("password")
>    - base64(md5sum("username:password")
>    - base64(md5sum("password")
>
> But I'm unable to replicate the hash given above. I want to verify my
> passwords are stored in ZK as securely as possible. Are you able to give me
> some more info on how this process works and what scheme it uses? Is it
> doing some salting as well? Any info would be much appreciated.
>
> Cheers,
> William
>