You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Remi Serrano <rs...@pros.com> on 2018/04/10 13:22:44 UTC
Client-Server authentication with DIGEST-MD5
Hello
I'm trying to secure my ZK cluster. To do so I'm trying to leverage both :
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
and
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
The Server to Server works fine. However, the Client to Server seems to be useless as here is the behavior I get :
* Client using a declared user on the server + good password CAN connect
* Client using a declared user on the server + bad password CANNOT connect
* Client using a non declared user on the Server CANNOT connect
so far so good... but :
* Client using NO user at all CAN connect !!!
Any hint ?
Re: Client-Server authentication with DIGEST-MD5
Posted by Martin Gainty <mg...@hotmail.com>.
________________________________
From: Remi Serrano <rs...@pros.com>
Sent: Wednesday, April 11, 2018 6:02 AM
To: user@zookeeper.apache.org
Subject: RE: Client-Server authentication with DIGEST-MD5
Perfect. Thanks Enrico. It is the 'setAcl / ' that I was missing.
Rémi
MG>DIGEST acl would need to be added prior to set (as the doc suggests)
MG>Note this is NOT sasl
addAcl / digest:user:tpUq/4Pn5A64fVZyQ0gOJ8ZWqkY=:cdrwa
MG>https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authenticatio
MG>the other way is to CREATE ACL in setACL and then reference the createdACL as 2nd param
zookeeper.setACL(
'/test/demo',
[
new zookeeper.ACL(
zookeeeper.Permission.ADMIN,
new zookeeper.Id('ip', '127.0.0.1')
)
]
MG>question is how could setACL be applied to root if ACL was not previous created?
-----Message d'origine-----
De : Enrico Olivelli [mailto:eolivelli@gmail.com]
Envoyé : Wednesday, April 11, 2018 11:12
À : UserZooKeeper <us...@zookeeper.apache.org>
Objet : Re: Client-Server authentication with DIGEST-MD5
2018-04-11 11:08 GMT+02:00 Remi Serrano <rs...@pros.com>:
> Thank you very much Enrico,
>
> So let's move at ACL level. If I create a new node as :
>
> Create /mynode content sasl:myuser:mydigest:crdwa
>
> Indeed only the authenticated myuser is able to READ /mynode... BUT
> any other non authenticated user can DELETE the node. How can I prevent this ?
> I Could not find explicit solution in the doc.
>
I am not sure but I think that in order to prevent deletion you have to set ACLs on the parent, in this case '/', and I don't know if is is possible.
If a node has children it cannot be deleted, so maybe the solution for you is to create a special "root" node, like /myapp and set ACLs on it and on every children.
This is actually what I am doing.
Hope that helps
Enrico
>
> Regards,
>
> Rémi
>
> -----Message d'origine-----
> De : Enrico Olivelli [mailto:eolivelli@gmail.com] Envoyé : Tuesday,
> April 10, 2018 15:51 À : UserZooKeeper <us...@zookeeper.apache.org>
> Objet : Re: Client-Server authentication with DIGEST-MD5
>
> 2018-04-10 15:22 GMT+02:00 Remi Serrano <rs...@pros.com>:
>
> > Hello
> >
> > I'm trying to secure my ZK cluster. To do so I'm trying to leverage
> > both
> :
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi
> > ki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse
> > rr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637
> > 90
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ
> > XV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Server-Server+mutual+authentication
> > and
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi
> > ki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse
> > rr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637
> > 90
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ
> > XV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Client-Server+mutual+authentication
> >
> > The Server to Server works fine. However, the Client to Server seems
> > to be useless as here is the behavior I get :
> >
> > * Client using a declared user on the server + good password CAN
> > connect
> > * Client using a declared user on the server + bad password CANNOT
> > connect
> > * Client using a non declared user on the Server CANNOT connect
> > so far so good... but :
> >
> > * Client using NO user at all CAN connect !!!
> >
>
>
> This is expected. Client auth is mostly used together with ACLs,
> otherwise AFAIK is pretty useless in ZK.
>
> Please not that MD5 is not "secure" at all, and consider using
> SASL/Kerberos for a production environment.
>
> Cheers
> Enrico
>
>
> >
> > Any hint ?
> >
> >
>
RE: Client-Server authentication with DIGEST-MD5
Posted by Remi Serrano <rs...@pros.com>.
Perfect. Thanks Enrico. It is the 'setAcl / ' that I was missing.
Rémi
-----Message d'origine-----
De : Enrico Olivelli [mailto:eolivelli@gmail.com]
Envoyé : Wednesday, April 11, 2018 11:12
À : UserZooKeeper <us...@zookeeper.apache.org>
Objet : Re: Client-Server authentication with DIGEST-MD5
2018-04-11 11:08 GMT+02:00 Remi Serrano <rs...@pros.com>:
> Thank you very much Enrico,
>
> So let's move at ACL level. If I create a new node as :
>
> Create /mynode content sasl:myuser:mydigest:crdwa
>
> Indeed only the authenticated myuser is able to READ /mynode... BUT
> any other non authenticated user can DELETE the node. How can I prevent this ?
> I Could not find explicit solution in the doc.
>
I am not sure but I think that in order to prevent deletion you have to set ACLs on the parent, in this case '/', and I don't know if is is possible.
If a node has children it cannot be deleted, so maybe the solution for you is to create a special "root" node, like /myapp and set ACLs on it and on every children.
This is actually what I am doing.
Hope that helps
Enrico
>
> Regards,
>
> Rémi
>
> -----Message d'origine-----
> De : Enrico Olivelli [mailto:eolivelli@gmail.com] Envoyé : Tuesday,
> April 10, 2018 15:51 À : UserZooKeeper <us...@zookeeper.apache.org>
> Objet : Re: Client-Server authentication with DIGEST-MD5
>
> 2018-04-10 15:22 GMT+02:00 Remi Serrano <rs...@pros.com>:
>
> > Hello
> >
> > I'm trying to secure my ZK cluster. To do so I'm trying to leverage
> > both
> :
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi
> > ki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse
> > rr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637
> > 90
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ
> > XV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Server-Server+mutual+authentication
> > and
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi
> > ki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse
> > rr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637
> > 90
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ
> > XV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Client-Server+mutual+authentication
> >
> > The Server to Server works fine. However, the Client to Server seems
> > to be useless as here is the behavior I get :
> >
> > * Client using a declared user on the server + good password CAN
> > connect
> > * Client using a declared user on the server + bad password CANNOT
> > connect
> > * Client using a non declared user on the Server CANNOT connect
> > so far so good... but :
> >
> > * Client using NO user at all CAN connect !!!
> >
>
>
> This is expected. Client auth is mostly used together with ACLs,
> otherwise AFAIK is pretty useless in ZK.
>
> Please not that MD5 is not "secure" at all, and consider using
> SASL/Kerberos for a production environment.
>
> Cheers
> Enrico
>
>
> >
> > Any hint ?
> >
> >
>
Re: Client-Server authentication with DIGEST-MD5
Posted by Enrico Olivelli <eo...@gmail.com>.
2018-04-11 11:08 GMT+02:00 Remi Serrano <rs...@pros.com>:
> Thank you very much Enrico,
>
> So let's move at ACL level. If I create a new node as :
>
> Create /mynode content sasl:myuser:mydigest:crdwa
>
> Indeed only the authenticated myuser is able to READ /mynode... BUT any
> other non authenticated user can DELETE the node. How can I prevent this ?
> I Could not find explicit solution in the doc.
>
I am not sure but I think that in order to prevent deletion you have to set
ACLs on the parent, in this case '/', and I don't know if is is possible.
If a node has children it cannot be deleted, so maybe the solution for you
is to create a special "root" node, like
/myapp and set ACLs on it and on every children.
This is actually what I am doing.
Hope that helps
Enrico
>
> Regards,
>
> Rémi
>
> -----Message d'origine-----
> De : Enrico Olivelli [mailto:eolivelli@gmail.com]
> Envoyé : Tuesday, April 10, 2018 15:51
> À : UserZooKeeper <us...@zookeeper.apache.org>
> Objet : Re: Client-Server authentication with DIGEST-MD5
>
> 2018-04-10 15:22 GMT+02:00 Remi Serrano <rs...@pros.com>:
>
> > Hello
> >
> > I'm trying to secure my ZK cluster. To do so I'm trying to leverage both
> :
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Server-Server+mutual+authentication
> > and
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Client-Server+mutual+authentication
> >
> > The Server to Server works fine. However, the Client to Server seems
> > to be useless as here is the behavior I get :
> >
> > * Client using a declared user on the server + good password CAN
> > connect
> > * Client using a declared user on the server + bad password CANNOT
> > connect
> > * Client using a non declared user on the Server CANNOT connect
> > so far so good... but :
> >
> > * Client using NO user at all CAN connect !!!
> >
>
>
> This is expected. Client auth is mostly used together with ACLs, otherwise
> AFAIK is pretty useless in ZK.
>
> Please not that MD5 is not "secure" at all, and consider using
> SASL/Kerberos for a production environment.
>
> Cheers
> Enrico
>
>
> >
> > Any hint ?
> >
> >
>
RE: Client-Server authentication with DIGEST-MD5
Posted by Remi Serrano <rs...@pros.com>.
Thank you very much Enrico,
So let's move at ACL level. If I create a new node as :
Create /mynode content sasl:myuser:mydigest:crdwa
Indeed only the authenticated myuser is able to READ /mynode... BUT any other non authenticated user can DELETE the node. How can I prevent this ? I Could not find explicit solution in the doc.
Regards,
Rémi
-----Message d'origine-----
De : Enrico Olivelli [mailto:eolivelli@gmail.com]
Envoyé : Tuesday, April 10, 2018 15:51
À : UserZooKeeper <us...@zookeeper.apache.org>
Objet : Re: Client-Server authentication with DIGEST-MD5
2018-04-10 15:22 GMT+02:00 Remi Serrano <rs...@pros.com>:
> Hello
>
> I'm trying to secure my ZK cluster. To do so I'm trying to leverage both :
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> Server-Server+mutual+authentication
> and
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> Client-Server+mutual+authentication
>
> The Server to Server works fine. However, the Client to Server seems
> to be useless as here is the behavior I get :
>
> * Client using a declared user on the server + good password CAN
> connect
> * Client using a declared user on the server + bad password CANNOT
> connect
> * Client using a non declared user on the Server CANNOT connect
> so far so good... but :
>
> * Client using NO user at all CAN connect !!!
>
This is expected. Client auth is mostly used together with ACLs, otherwise AFAIK is pretty useless in ZK.
Please not that MD5 is not "secure" at all, and consider using SASL/Kerberos for a production environment.
Cheers
Enrico
>
> Any hint ?
>
>
Re: Client-Server authentication with DIGEST-MD5
Posted by Enrico Olivelli <eo...@gmail.com>.
2018-04-10 15:22 GMT+02:00 Remi Serrano <rs...@pros.com>:
> Hello
>
> I'm trying to secure my ZK cluster. To do so I'm trying to leverage both :
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> Server-Server+mutual+authentication
> and
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> Client-Server+mutual+authentication
>
> The Server to Server works fine. However, the Client to Server seems to be
> useless as here is the behavior I get :
>
> * Client using a declared user on the server + good password CAN
> connect
> * Client using a declared user on the server + bad password CANNOT
> connect
> * Client using a non declared user on the Server CANNOT connect
> so far so good... but :
>
> * Client using NO user at all CAN connect !!!
>
This is expected. Client auth is mostly used together with ACLs, otherwise
AFAIK is pretty useless in ZK.
Please not that MD5 is not "secure" at all, and consider using
SASL/Kerberos for a production environment.
Cheers
Enrico
>
> Any hint ?
>
>