You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Rob (JIRA)" <ji...@apache.org> on 2018/12/19 19:36:00 UTC
[jira] [Commented] (ZOOKEEPER-1736) Zookeeper SASL authentication
allows anonymus users to log in
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725304#comment-16725304 ]
Rob commented on ZOOKEEPER-1736:
--------------------------------
I agree, this should be a bug based upon the original description of the issue (1634)
Which states: "We want to protect a ZK server by enforcing a simple authentication to every client no matter which znode it is trying to access. *Every connection (or operation) from the client won't be established but rejected if it doesn't come with a valid authentication information.* As we don't have any other distinction between znodes in term of authorization, we don't want any ACLs on any znode."
But the code implemented only is exercised if a SASL connection is requested to start with. It does not address plaintext connection requests coming in on the same zookeeper port. If no authentication mechanism is provided, then the connections is made with “world” access granted.
If this code is not intended to address plaintext connections, there needs to be another security parameter to expressly allow or disallow unsecure(plaintext) connections to the zookeeper. Something like zookeeper.allowUnauthenticatedClients= ture/false
> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>
> Key: ZOOKEEPER-1736
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Environment: Development
> Reporter: AntonioS
> Priority: Major
>
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary username and password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_admin="admin";
> };
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="admin"
> password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I authenticate, otherwise not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper allows me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code, in particular the ZookeeperServer.java, this method:
> public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException {
> The section below:
> } else {
> if (h.getType() == OpCode.sasl) {
> Record rsp = processSasl(incomingBuffer,cnxn);
> ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
> cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what is it?
> }
> else {
> Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
> h.getType(), incomingBuffer, cnxn.getAuthInfo());
> si.setOwner(ServerCnxn.me);
> submitRequest(si);
> }
> }
> The else flow appears to just forward any anonymous request to the handler, without attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
> Thanks
> Antonio
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)