Side affects of setting quorumListenOnAllIPs to true

[rammohan ganapavarapu <ra...@gmail.com>]

Hi,

I am trying to see what are the pros and cons of setting
quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or local
proxy environments is not working by keeping default value (false). So can
someone please explain?

Any way zookeeper will form quorum with the servers list from the zoo.conf
static file right? so by enabling this property can any server or IP out of
the zoo.conf can join the quorum?

Ram

Re: Side affects of setting quorumListenOnAllIPs to true

[rammohan ganapavarapu <ra...@gmail.com>]

Thank you all for your suggestions.

On Tue, Jun 16, 2020, 5:56 AM Szalay-Bekő Máté <sz...@gmail.com>
wrote:

> :)
>
> just some info from https://zookeeper.apache.org/security.html
>
> " If you have any concern or believe you have uncovered a vulnerability, we
> suggest that you get in touch via the e-mail address
> security@zookeeper.apache.org. In the message, try to provide a
> description
> of the issue and ideally a way of reproducing it. (...) Please report any
> security problems to the project security address before disclosing it
> publicly. "
>
> Kind regards,
> Mate
>
> On Tue, Jun 16, 2020 at 1:36 PM ashish soni <ai...@gmail.com>
> wrote:
>
> > Good suggestions Mate. We are in progress to implement both (SSL AND
> SASL).
> > Will try to pan out some destructive cases to test it out :)
> >
> > On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté <
> szalay.beko.mate@gmail.com
> > >
> > wrote:
> >
> > > Also the best is to use QuorumSASL or QuorumSSL to make sure the
> > ZooKeeper
> > > server-to-server communication is secure and noone who is not trusted
> can
> > > connect and gain access to the quorum.
> > >
> > > However, if one is using QuorumSASL or QuorumSSL then it is still
> > possible
> > > that a DOS attack can hit the ZooKeeper port causing problems. But that
> > can
> > > again be solved by firewalls I think.
> > >
> > > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté <
> > > szalay.beko.mate@gmail.com> wrote:
> > >
> > > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the
> > > zookeeper
> > > > still connect and form a quorum with only the static or dynamic
> server
> > > > connection strings or it can connect and form a quorum with any IP
> > > address
> > > > outside the server connection strings as it is allowed to bind with a
> > > > 0.0.0.0 interface?
> > > >
> > > > This is a good question. I think there is a chance that one can
> > "intrude"
> > > > this way. Although I wouldn't give more tips on the mailing list. :)
> > > > The best is to protect the ZooKeeper internal network using
> firewalls.
> > > The
> > > > election port and leader port should be reachable only by other
> > ZooKeeper
> > > > server hosts.
> > > >
> > > > Regards,
> > > > Mate
> > > >
> > > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni <
> > aishwarya.ashish@gmail.com
> > > >
> > > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the
> > zookeeper
> > > >> still connect and form a quorum with only the static or dynamic
> server
> > > >> connection strings or it can connect and form a quorum with any IP
> > > address
> > > >> outside the server connection strings as it is allowed to bind with
> a
> > > >> 0.0.0.0 interface?
> > > >>
> > > >> Ram, I think you don't need to add this if you have a static IP
> config
> > > or
> > > >> using 3.6+. If you feel it is a security issue for the organization,
> > try
> > > >> ZK
> > > >> 3.6.1 without setting that config.
> > > >>
> > > >> Regards,
> > > >> Aishwarya Soni
> > > >>
> > > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
> > > >> szalay.beko.mate@gmail.com>
> > > >> wrote:
> > > >>
> > > >> > Hi Ram,
> > > >> >
> > > >> > > all i want to know is by enabling this property there are no
> side
> > > >> effects
> > > >> > or security risks.
> > > >> >
> > > >> > well, this is something for you (or for your security team) to
> > > evaluate.
> > > >> > E.g. if your hosts have multiple network interfaces with both
> > > "private"
> > > >> and
> > > >> > "public" networks attached, then I can consider setting
> > > >> > quorumListenOnAllIPs=true to be a security risk. Of course you can
> > > block
> > > >> > the public access with proper firewall rules.
> > > >> >
> > > >> > But usually ZooKeeper is deployed in some secure / core
> > > infrastructure,
> > > >> > well protected from DOS / other attacks, in which
> > > >> > case quorumListenOnAllIPs=true is not a real security risk.
> > > >> >
> > > >> > This is something we (the ZooKeeper community) will not be able to
> > > >> tell, as
> > > >> > this depends on your network topology and your security protocols.
> > We
> > > >> can
> > > >> > only help in explaining what this config is doing.
> > > >> >
> > > >> > Kind regards,
> > > >> > Mate
> > > >> >
> > > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> > > >> > rammohanganap@gmail.com> wrote:
> > > >> >
> > > >> > > Mate,
> > > >> > >
> > > >> > > Thanks for explaining, all i want to know is by enabling this
> > > property
> > > >> > > there are no side effects or security risks.
> > > >> > >
> > > >> > > Ram
> > > >> > >
> > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> > > >> > > szalay.beko.mate@gmail.com> wrote:
> > > >> > >
> > > >> > > > Hi Ram,
> > > >> > > >
> > > >> > > > I am not sure I understand your question. The config
> > > >> > quorumListenOnAllIPs
> > > >> > > > is about to specify if the ports ZooKeeper uses for
> > > Server-to-server
> > > >> > > > communication should bind on the specified address/IP
> > > >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
> > > >> (quorumListenOnAllIPs=true).
> > > >> > > >
> > > >> > > > An example: You configure your server list using either static
> > or
> > > >> > dynamic
> > > >> > > > configuration like:
> > > >> > > > server.1=a.foo.com:2888:3888
> > > >> > > > server.2=b.foo.com:2888:3888
> > > >> > > > ...
> > > >> > > >
> > > >> > > > In this case when server.2 starts, it reads the config then
> > > >> initiates
> > > >> > > > connection (for ZK internal leader election protocol) to
> > server.1
> > > by
> > > >> > > > connecting to a.foo.com:3888 and sending it's own address (
> > > >> > > b.foo.com:3888)
> > > >> > > > enabling server.1 to connect back. However, if server.2 is
> > behind
> > > a
> > > >> > > proxy /
> > > >> > > > using kubernetes / whatever, then it is possible that you can
> > > reach
> > > >> > > > server.2 as b.foo.com but the ZK process on server.2 can not
> > > >> actually
> > > >> > > bind
> > > >> > > > on b.foo.com:3888. In this case the easiest solution is to
> bind
> > > on
> > > >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the
> > config
> > > >> file
> > > >> > > of
> > > >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888
> > in
> > > >> the
> > > >> > > > initial message to server.1 and server.1 would try to connect
> > back
> > > >> to
> > > >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this
> case
> > > it
> > > >> > comes
> > > >> > > > handy to set quorumListenOnAllIPs=true which will cause
> > ZooKeeper
> > > to
> > > >> > bind
> > > >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the
> initial
> > > >> > message,
> > > >> > > > an
> > > >> > > > address where other servers can reach it.
> > > >> > > >
> > > >> > > > I hope the explanation made it more (and not less) clear :p
> > > >> > > >
> > > >> > > > Kind regards,
> > > >> > > > Mate
> > > >> > > >
> > > >> > > >
> > > >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> > > >> > > > rammohanganap@gmail.com> wrote:
> > > >> > > >
> > > >> > > > > Hi,
> > > >> > > > >
> > > >> > > > > I am trying to see what are the pros and cons of setting
> > > >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in
> > mtls
> > > or
> > > >> > > local
> > > >> > > > > proxy environments is not working by keeping default value
> > > >> (false).
> > > >> > So
> > > >> > > > can
> > > >> > > > > someone please explain?
> > > >> > > > >
> > > >> > > > > Any way zookeeper will form quorum with the servers list
> from
> > > the
> > > >> > > > zoo.conf
> > > >> > > > > static file right? so by enabling this property can any
> server
> > > or
> > > >> IP
> > > >> > > out
> > > >> > > > of
> > > >> > > > > the zoo.conf can join the quorum?
> > > >> > > > >
> > > >> > > > > Ram
> > > >> > > > >
> > > >> > > >
> > > >> > >
> > > >> >
> > > >>
> > > >
> > >
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[Szalay-Bekő Máté <sz...@gmail.com>]

:)

just some info from https://zookeeper.apache.org/security.html

" If you have any concern or believe you have uncovered a vulnerability, we
suggest that you get in touch via the e-mail address
security@zookeeper.apache.org. In the message, try to provide a description
of the issue and ideally a way of reproducing it. (...) Please report any
security problems to the project security address before disclosing it
publicly. "

Kind regards,
Mate

On Tue, Jun 16, 2020 at 1:36 PM ashish soni <ai...@gmail.com>
wrote:

> Good suggestions Mate. We are in progress to implement both (SSL AND SASL).
> Will try to pan out some destructive cases to test it out :)
>
> On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté <szalay.beko.mate@gmail.com
> >
> wrote:
>
> > Also the best is to use QuorumSASL or QuorumSSL to make sure the
> ZooKeeper
> > server-to-server communication is secure and noone who is not trusted can
> > connect and gain access to the quorum.
> >
> > However, if one is using QuorumSASL or QuorumSSL then it is still
> possible
> > that a DOS attack can hit the ZooKeeper port causing problems. But that
> can
> > again be solved by firewalls I think.
> >
> > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté <
> > szalay.beko.mate@gmail.com> wrote:
> >
> > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the
> > zookeeper
> > > still connect and form a quorum with only the static or dynamic server
> > > connection strings or it can connect and form a quorum with any IP
> > address
> > > outside the server connection strings as it is allowed to bind with a
> > > 0.0.0.0 interface?
> > >
> > > This is a good question. I think there is a chance that one can
> "intrude"
> > > this way. Although I wouldn't give more tips on the mailing list. :)
> > > The best is to protect the ZooKeeper internal network using firewalls.
> > The
> > > election port and leader port should be reachable only by other
> ZooKeeper
> > > server hosts.
> > >
> > > Regards,
> > > Mate
> > >
> > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni <
> aishwarya.ashish@gmail.com
> > >
> > > wrote:
> > >
> > >> Hi,
> > >>
> > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the
> zookeeper
> > >> still connect and form a quorum with only the static or dynamic server
> > >> connection strings or it can connect and form a quorum with any IP
> > address
> > >> outside the server connection strings as it is allowed to bind with a
> > >> 0.0.0.0 interface?
> > >>
> > >> Ram, I think you don't need to add this if you have a static IP config
> > or
> > >> using 3.6+. If you feel it is a security issue for the organization,
> try
> > >> ZK
> > >> 3.6.1 without setting that config.
> > >>
> > >> Regards,
> > >> Aishwarya Soni
> > >>
> > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
> > >> szalay.beko.mate@gmail.com>
> > >> wrote:
> > >>
> > >> > Hi Ram,
> > >> >
> > >> > > all i want to know is by enabling this property there are no side
> > >> effects
> > >> > or security risks.
> > >> >
> > >> > well, this is something for you (or for your security team) to
> > evaluate.
> > >> > E.g. if your hosts have multiple network interfaces with both
> > "private"
> > >> and
> > >> > "public" networks attached, then I can consider setting
> > >> > quorumListenOnAllIPs=true to be a security risk. Of course you can
> > block
> > >> > the public access with proper firewall rules.
> > >> >
> > >> > But usually ZooKeeper is deployed in some secure / core
> > infrastructure,
> > >> > well protected from DOS / other attacks, in which
> > >> > case quorumListenOnAllIPs=true is not a real security risk.
> > >> >
> > >> > This is something we (the ZooKeeper community) will not be able to
> > >> tell, as
> > >> > this depends on your network topology and your security protocols.
> We
> > >> can
> > >> > only help in explaining what this config is doing.
> > >> >
> > >> > Kind regards,
> > >> > Mate
> > >> >
> > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> > >> > rammohanganap@gmail.com> wrote:
> > >> >
> > >> > > Mate,
> > >> > >
> > >> > > Thanks for explaining, all i want to know is by enabling this
> > property
> > >> > > there are no side effects or security risks.
> > >> > >
> > >> > > Ram
> > >> > >
> > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> > >> > > szalay.beko.mate@gmail.com> wrote:
> > >> > >
> > >> > > > Hi Ram,
> > >> > > >
> > >> > > > I am not sure I understand your question. The config
> > >> > quorumListenOnAllIPs
> > >> > > > is about to specify if the ports ZooKeeper uses for
> > Server-to-server
> > >> > > > communication should bind on the specified address/IP
> > >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
> > >> (quorumListenOnAllIPs=true).
> > >> > > >
> > >> > > > An example: You configure your server list using either static
> or
> > >> > dynamic
> > >> > > > configuration like:
> > >> > > > server.1=a.foo.com:2888:3888
> > >> > > > server.2=b.foo.com:2888:3888
> > >> > > > ...
> > >> > > >
> > >> > > > In this case when server.2 starts, it reads the config then
> > >> initiates
> > >> > > > connection (for ZK internal leader election protocol) to
> server.1
> > by
> > >> > > > connecting to a.foo.com:3888 and sending it's own address (
> > >> > > b.foo.com:3888)
> > >> > > > enabling server.1 to connect back. However, if server.2 is
> behind
> > a
> > >> > > proxy /
> > >> > > > using kubernetes / whatever, then it is possible that you can
> > reach
> > >> > > > server.2 as b.foo.com but the ZK process on server.2 can not
> > >> actually
> > >> > > bind
> > >> > > > on b.foo.com:3888. In this case the easiest solution is to bind
> > on
> > >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the
> config
> > >> file
> > >> > > of
> > >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888
> in
> > >> the
> > >> > > > initial message to server.1 and server.1 would try to connect
> back
> > >> to
> > >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case
> > it
> > >> > comes
> > >> > > > handy to set quorumListenOnAllIPs=true which will cause
> ZooKeeper
> > to
> > >> > bind
> > >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
> > >> > message,
> > >> > > > an
> > >> > > > address where other servers can reach it.
> > >> > > >
> > >> > > > I hope the explanation made it more (and not less) clear :p
> > >> > > >
> > >> > > > Kind regards,
> > >> > > > Mate
> > >> > > >
> > >> > > >
> > >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> > >> > > > rammohanganap@gmail.com> wrote:
> > >> > > >
> > >> > > > > Hi,
> > >> > > > >
> > >> > > > > I am trying to see what are the pros and cons of setting
> > >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in
> mtls
> > or
> > >> > > local
> > >> > > > > proxy environments is not working by keeping default value
> > >> (false).
> > >> > So
> > >> > > > can
> > >> > > > > someone please explain?
> > >> > > > >
> > >> > > > > Any way zookeeper will form quorum with the servers list from
> > the
> > >> > > > zoo.conf
> > >> > > > > static file right? so by enabling this property can any server
> > or
> > >> IP
> > >> > > out
> > >> > > > of
> > >> > > > > the zoo.conf can join the quorum?
> > >> > > > >
> > >> > > > > Ram
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> > >
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[ashish soni <ai...@gmail.com>]

Good suggestions Mate. We are in progress to implement both (SSL AND SASL).
Will try to pan out some destructive cases to test it out :)

On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté <sz...@gmail.com>
wrote:

> Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper
> server-to-server communication is secure and noone who is not trusted can
> connect and gain access to the quorum.
>
> However, if one is using QuorumSASL or QuorumSSL then it is still possible
> that a DOS attack can hit the ZooKeeper port causing problems. But that can
> again be solved by firewalls I think.
>
> On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté <
> szalay.beko.mate@gmail.com> wrote:
>
> > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the
> zookeeper
> > still connect and form a quorum with only the static or dynamic server
> > connection strings or it can connect and form a quorum with any IP
> address
> > outside the server connection strings as it is allowed to bind with a
> > 0.0.0.0 interface?
> >
> > This is a good question. I think there is a chance that one can "intrude"
> > this way. Although I wouldn't give more tips on the mailing list. :)
> > The best is to protect the ZooKeeper internal network using firewalls.
> The
> > election port and leader port should be reachable only by other ZooKeeper
> > server hosts.
> >
> > Regards,
> > Mate
> >
> > On Tue, Jun 16, 2020 at 12:24 PM ashish soni <aishwarya.ashish@gmail.com
> >
> > wrote:
> >
> >> Hi,
> >>
> >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
> >> still connect and form a quorum with only the static or dynamic server
> >> connection strings or it can connect and form a quorum with any IP
> address
> >> outside the server connection strings as it is allowed to bind with a
> >> 0.0.0.0 interface?
> >>
> >> Ram, I think you don't need to add this if you have a static IP config
> or
> >> using 3.6+. If you feel it is a security issue for the organization, try
> >> ZK
> >> 3.6.1 without setting that config.
> >>
> >> Regards,
> >> Aishwarya Soni
> >>
> >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
> >> szalay.beko.mate@gmail.com>
> >> wrote:
> >>
> >> > Hi Ram,
> >> >
> >> > > all i want to know is by enabling this property there are no side
> >> effects
> >> > or security risks.
> >> >
> >> > well, this is something for you (or for your security team) to
> evaluate.
> >> > E.g. if your hosts have multiple network interfaces with both
> "private"
> >> and
> >> > "public" networks attached, then I can consider setting
> >> > quorumListenOnAllIPs=true to be a security risk. Of course you can
> block
> >> > the public access with proper firewall rules.
> >> >
> >> > But usually ZooKeeper is deployed in some secure / core
> infrastructure,
> >> > well protected from DOS / other attacks, in which
> >> > case quorumListenOnAllIPs=true is not a real security risk.
> >> >
> >> > This is something we (the ZooKeeper community) will not be able to
> >> tell, as
> >> > this depends on your network topology and your security protocols. We
> >> can
> >> > only help in explaining what this config is doing.
> >> >
> >> > Kind regards,
> >> > Mate
> >> >
> >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> >> > rammohanganap@gmail.com> wrote:
> >> >
> >> > > Mate,
> >> > >
> >> > > Thanks for explaining, all i want to know is by enabling this
> property
> >> > > there are no side effects or security risks.
> >> > >
> >> > > Ram
> >> > >
> >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> >> > > szalay.beko.mate@gmail.com> wrote:
> >> > >
> >> > > > Hi Ram,
> >> > > >
> >> > > > I am not sure I understand your question. The config
> >> > quorumListenOnAllIPs
> >> > > > is about to specify if the ports ZooKeeper uses for
> Server-to-server
> >> > > > communication should bind on the specified address/IP
> >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
> >> (quorumListenOnAllIPs=true).
> >> > > >
> >> > > > An example: You configure your server list using either static or
> >> > dynamic
> >> > > > configuration like:
> >> > > > server.1=a.foo.com:2888:3888
> >> > > > server.2=b.foo.com:2888:3888
> >> > > > ...
> >> > > >
> >> > > > In this case when server.2 starts, it reads the config then
> >> initiates
> >> > > > connection (for ZK internal leader election protocol) to server.1
> by
> >> > > > connecting to a.foo.com:3888 and sending it's own address (
> >> > > b.foo.com:3888)
> >> > > > enabling server.1 to connect back. However, if server.2 is behind
> a
> >> > > proxy /
> >> > > > using kubernetes / whatever, then it is possible that you can
> reach
> >> > > > server.2 as b.foo.com but the ZK process on server.2 can not
> >> actually
> >> > > bind
> >> > > > on b.foo.com:3888. In this case the easiest solution is to bind
> on
> >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config
> >> file
> >> > > of
> >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in
> >> the
> >> > > > initial message to server.1 and server.1 would try to connect back
> >> to
> >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case
> it
> >> > comes
> >> > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper
> to
> >> > bind
> >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
> >> > message,
> >> > > > an
> >> > > > address where other servers can reach it.
> >> > > >
> >> > > > I hope the explanation made it more (and not less) clear :p
> >> > > >
> >> > > > Kind regards,
> >> > > > Mate
> >> > > >
> >> > > >
> >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> >> > > > rammohanganap@gmail.com> wrote:
> >> > > >
> >> > > > > Hi,
> >> > > > >
> >> > > > > I am trying to see what are the pros and cons of setting
> >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls
> or
> >> > > local
> >> > > > > proxy environments is not working by keeping default value
> >> (false).
> >> > So
> >> > > > can
> >> > > > > someone please explain?
> >> > > > >
> >> > > > > Any way zookeeper will form quorum with the servers list from
> the
> >> > > > zoo.conf
> >> > > > > static file right? so by enabling this property can any server
> or
> >> IP
> >> > > out
> >> > > > of
> >> > > > > the zoo.conf can join the quorum?
> >> > > > >
> >> > > > > Ram
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[Szalay-Bekő Máté <sz...@gmail.com>]

Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper
server-to-server communication is secure and noone who is not trusted can
connect and gain access to the quorum.

However, if one is using QuorumSASL or QuorumSSL then it is still possible
that a DOS attack can hit the ZooKeeper port causing problems. But that can
again be solved by firewalls I think.

On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté <
szalay.beko.mate@gmail.com> wrote:

> > Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
> still connect and form a quorum with only the static or dynamic server
> connection strings or it can connect and form a quorum with any IP address
> outside the server connection strings as it is allowed to bind with a
> 0.0.0.0 interface?
>
> This is a good question. I think there is a chance that one can "intrude"
> this way. Although I wouldn't give more tips on the mailing list. :)
> The best is to protect the ZooKeeper internal network using firewalls. The
> election port and leader port should be reachable only by other ZooKeeper
> server hosts.
>
> Regards,
> Mate
>
> On Tue, Jun 16, 2020 at 12:24 PM ashish soni <ai...@gmail.com>
> wrote:
>
>> Hi,
>>
>> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
>> still connect and form a quorum with only the static or dynamic server
>> connection strings or it can connect and form a quorum with any IP address
>> outside the server connection strings as it is allowed to bind with a
>> 0.0.0.0 interface?
>>
>> Ram, I think you don't need to add this if you have a static IP config or
>> using 3.6+. If you feel it is a security issue for the organization, try
>> ZK
>> 3.6.1 without setting that config.
>>
>> Regards,
>> Aishwarya Soni
>>
>> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
>> szalay.beko.mate@gmail.com>
>> wrote:
>>
>> > Hi Ram,
>> >
>> > > all i want to know is by enabling this property there are no side
>> effects
>> > or security risks.
>> >
>> > well, this is something for you (or for your security team) to evaluate.
>> > E.g. if your hosts have multiple network interfaces with both "private"
>> and
>> > "public" networks attached, then I can consider setting
>> > quorumListenOnAllIPs=true to be a security risk. Of course you can block
>> > the public access with proper firewall rules.
>> >
>> > But usually ZooKeeper is deployed in some secure / core infrastructure,
>> > well protected from DOS / other attacks, in which
>> > case quorumListenOnAllIPs=true is not a real security risk.
>> >
>> > This is something we (the ZooKeeper community) will not be able to
>> tell, as
>> > this depends on your network topology and your security protocols. We
>> can
>> > only help in explaining what this config is doing.
>> >
>> > Kind regards,
>> > Mate
>> >
>> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
>> > rammohanganap@gmail.com> wrote:
>> >
>> > > Mate,
>> > >
>> > > Thanks for explaining, all i want to know is by enabling this property
>> > > there are no side effects or security risks.
>> > >
>> > > Ram
>> > >
>> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
>> > > szalay.beko.mate@gmail.com> wrote:
>> > >
>> > > > Hi Ram,
>> > > >
>> > > > I am not sure I understand your question. The config
>> > quorumListenOnAllIPs
>> > > > is about to specify if the ports ZooKeeper uses for Server-to-server
>> > > > communication should bind on the specified address/IP
>> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
>> (quorumListenOnAllIPs=true).
>> > > >
>> > > > An example: You configure your server list using either static or
>> > dynamic
>> > > > configuration like:
>> > > > server.1=a.foo.com:2888:3888
>> > > > server.2=b.foo.com:2888:3888
>> > > > ...
>> > > >
>> > > > In this case when server.2 starts, it reads the config then
>> initiates
>> > > > connection (for ZK internal leader election protocol) to server.1 by
>> > > > connecting to a.foo.com:3888 and sending it's own address (
>> > > b.foo.com:3888)
>> > > > enabling server.1 to connect back. However, if server.2 is behind a
>> > > proxy /
>> > > > using kubernetes / whatever, then it is possible that you can reach
>> > > > server.2 as b.foo.com but the ZK process on server.2 can not
>> actually
>> > > bind
>> > > > on b.foo.com:3888. In this case the easiest solution is to bind on
>> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config
>> file
>> > > of
>> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in
>> the
>> > > > initial message to server.1 and server.1 would try to connect back
>> to
>> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it
>> > comes
>> > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to
>> > bind
>> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
>> > message,
>> > > > an
>> > > > address where other servers can reach it.
>> > > >
>> > > > I hope the explanation made it more (and not less) clear :p
>> > > >
>> > > > Kind regards,
>> > > > Mate
>> > > >
>> > > >
>> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
>> > > > rammohanganap@gmail.com> wrote:
>> > > >
>> > > > > Hi,
>> > > > >
>> > > > > I am trying to see what are the pros and cons of setting
>> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or
>> > > local
>> > > > > proxy environments is not working by keeping default value
>> (false).
>> > So
>> > > > can
>> > > > > someone please explain?
>> > > > >
>> > > > > Any way zookeeper will form quorum with the servers list from the
>> > > > zoo.conf
>> > > > > static file right? so by enabling this property can any server or
>> IP
>> > > out
>> > > > of
>> > > > > the zoo.conf can join the quorum?
>> > > > >
>> > > > > Ram
>> > > > >
>> > > >
>> > >
>> >
>>
>

Re: Side affects of setting quorumListenOnAllIPs to true

[Szalay-Bekő Máté <sz...@gmail.com>]

> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
still connect and form a quorum with only the static or dynamic server
connection strings or it can connect and form a quorum with any IP address
outside the server connection strings as it is allowed to bind with a
0.0.0.0 interface?

This is a good question. I think there is a chance that one can "intrude"
this way. Although I wouldn't give more tips on the mailing list. :)
The best is to protect the ZooKeeper internal network using firewalls. The
election port and leader port should be reachable only by other ZooKeeper
server hosts.

Regards,
Mate

On Tue, Jun 16, 2020 at 12:24 PM ashish soni <ai...@gmail.com>
wrote:

> Hi,
>
> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
> still connect and form a quorum with only the static or dynamic server
> connection strings or it can connect and form a quorum with any IP address
> outside the server connection strings as it is allowed to bind with a
> 0.0.0.0 interface?
>
> Ram, I think you don't need to add this if you have a static IP config or
> using 3.6+. If you feel it is a security issue for the organization, try ZK
> 3.6.1 without setting that config.
>
> Regards,
> Aishwarya Soni
>
> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
> szalay.beko.mate@gmail.com>
> wrote:
>
> > Hi Ram,
> >
> > > all i want to know is by enabling this property there are no side
> effects
> > or security risks.
> >
> > well, this is something for you (or for your security team) to evaluate.
> > E.g. if your hosts have multiple network interfaces with both "private"
> and
> > "public" networks attached, then I can consider setting
> > quorumListenOnAllIPs=true to be a security risk. Of course you can block
> > the public access with proper firewall rules.
> >
> > But usually ZooKeeper is deployed in some secure / core infrastructure,
> > well protected from DOS / other attacks, in which
> > case quorumListenOnAllIPs=true is not a real security risk.
> >
> > This is something we (the ZooKeeper community) will not be able to tell,
> as
> > this depends on your network topology and your security protocols. We can
> > only help in explaining what this config is doing.
> >
> > Kind regards,
> > Mate
> >
> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> > rammohanganap@gmail.com> wrote:
> >
> > > Mate,
> > >
> > > Thanks for explaining, all i want to know is by enabling this property
> > > there are no side effects or security risks.
> > >
> > > Ram
> > >
> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> > > szalay.beko.mate@gmail.com> wrote:
> > >
> > > > Hi Ram,
> > > >
> > > > I am not sure I understand your question. The config
> > quorumListenOnAllIPs
> > > > is about to specify if the ports ZooKeeper uses for Server-to-server
> > > > communication should bind on the specified address/IP
> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
> (quorumListenOnAllIPs=true).
> > > >
> > > > An example: You configure your server list using either static or
> > dynamic
> > > > configuration like:
> > > > server.1=a.foo.com:2888:3888
> > > > server.2=b.foo.com:2888:3888
> > > > ...
> > > >
> > > > In this case when server.2 starts, it reads the config then initiates
> > > > connection (for ZK internal leader election protocol) to server.1 by
> > > > connecting to a.foo.com:3888 and sending it's own address (
> > > b.foo.com:3888)
> > > > enabling server.1 to connect back. However, if server.2 is behind a
> > > proxy /
> > > > using kubernetes / whatever, then it is possible that you can reach
> > > > server.2 as b.foo.com but the ZK process on server.2 can not
> actually
> > > bind
> > > > on b.foo.com:3888. In this case the easiest solution is to bind on
> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config
> file
> > > of
> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the
> > > > initial message to server.1 and server.1 would try to connect back to
> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it
> > comes
> > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to
> > bind
> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
> > message,
> > > > an
> > > > address where other servers can reach it.
> > > >
> > > > I hope the explanation made it more (and not less) clear :p
> > > >
> > > > Kind regards,
> > > > Mate
> > > >
> > > >
> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> > > > rammohanganap@gmail.com> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I am trying to see what are the pros and cons of setting
> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or
> > > local
> > > > > proxy environments is not working by keeping default value (false).
> > So
> > > > can
> > > > > someone please explain?
> > > > >
> > > > > Any way zookeeper will form quorum with the servers list from the
> > > > zoo.conf
> > > > > static file right? so by enabling this property can any server or
> IP
> > > out
> > > > of
> > > > > the zoo.conf can join the quorum?
> > > > >
> > > > > Ram
> > > > >
> > > >
> > >
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[ashish soni <ai...@gmail.com>]

Hi,

Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
still connect and form a quorum with only the static or dynamic server
connection strings or it can connect and form a quorum with any IP address
outside the server connection strings as it is allowed to bind with a
0.0.0.0 interface?

Ram, I think you don't need to add this if you have a static IP config or
using 3.6+. If you feel it is a security issue for the organization, try ZK
3.6.1 without setting that config.

Regards,
Aishwarya Soni

On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <sz...@gmail.com>
wrote:

> Hi Ram,
>
> > all i want to know is by enabling this property there are no side effects
> or security risks.
>
> well, this is something for you (or for your security team) to evaluate.
> E.g. if your hosts have multiple network interfaces with both "private" and
> "public" networks attached, then I can consider setting
> quorumListenOnAllIPs=true to be a security risk. Of course you can block
> the public access with proper firewall rules.
>
> But usually ZooKeeper is deployed in some secure / core infrastructure,
> well protected from DOS / other attacks, in which
> case quorumListenOnAllIPs=true is not a real security risk.
>
> This is something we (the ZooKeeper community) will not be able to tell, as
> this depends on your network topology and your security protocols. We can
> only help in explaining what this config is doing.
>
> Kind regards,
> Mate
>
> On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Mate,
> >
> > Thanks for explaining, all i want to know is by enabling this property
> > there are no side effects or security risks.
> >
> > Ram
> >
> > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> > szalay.beko.mate@gmail.com> wrote:
> >
> > > Hi Ram,
> > >
> > > I am not sure I understand your question. The config
> quorumListenOnAllIPs
> > > is about to specify if the ports ZooKeeper uses for Server-to-server
> > > communication should bind on the specified address/IP
> > > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true).
> > >
> > > An example: You configure your server list using either static or
> dynamic
> > > configuration like:
> > > server.1=a.foo.com:2888:3888
> > > server.2=b.foo.com:2888:3888
> > > ...
> > >
> > > In this case when server.2 starts, it reads the config then initiates
> > > connection (for ZK internal leader election protocol) to server.1 by
> > > connecting to a.foo.com:3888 and sending it's own address (
> > b.foo.com:3888)
> > > enabling server.1 to connect back. However, if server.2 is behind a
> > proxy /
> > > using kubernetes / whatever, then it is possible that you can reach
> > > server.2 as b.foo.com but the ZK process on server.2 can not actually
> > bind
> > > on b.foo.com:3888. In this case the easiest solution is to bind on
> > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file
> > of
> > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the
> > > initial message to server.1 and server.1 would try to connect back to
> > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it
> comes
> > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to
> bind
> > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
> message,
> > > an
> > > address where other servers can reach it.
> > >
> > > I hope the explanation made it more (and not less) clear :p
> > >
> > > Kind regards,
> > > Mate
> > >
> > >
> > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> > > rammohanganap@gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I am trying to see what are the pros and cons of setting
> > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or
> > local
> > > > proxy environments is not working by keeping default value (false).
> So
> > > can
> > > > someone please explain?
> > > >
> > > > Any way zookeeper will form quorum with the servers list from the
> > > zoo.conf
> > > > static file right? so by enabling this property can any server or IP
> > out
> > > of
> > > > the zoo.conf can join the quorum?
> > > >
> > > > Ram
> > > >
> > >
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[Szalay-Bekő Máté <sz...@gmail.com>]

Hi Ram,

> all i want to know is by enabling this property there are no side effects
or security risks.

well, this is something for you (or for your security team) to evaluate.
E.g. if your hosts have multiple network interfaces with both "private" and
"public" networks attached, then I can consider setting
quorumListenOnAllIPs=true to be a security risk. Of course you can block
the public access with proper firewall rules.

But usually ZooKeeper is deployed in some secure / core infrastructure,
well protected from DOS / other attacks, in which
case quorumListenOnAllIPs=true is not a real security risk.

This is something we (the ZooKeeper community) will not be able to tell, as
this depends on your network topology and your security protocols. We can
only help in explaining what this config is doing.

Kind regards,
Mate

On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> Mate,
>
> Thanks for explaining, all i want to know is by enabling this property
> there are no side effects or security risks.
>
> Ram
>
> On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> szalay.beko.mate@gmail.com> wrote:
>
> > Hi Ram,
> >
> > I am not sure I understand your question. The config quorumListenOnAllIPs
> > is about to specify if the ports ZooKeeper uses for Server-to-server
> > communication should bind on the specified address/IP
> > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true).
> >
> > An example: You configure your server list using either static or dynamic
> > configuration like:
> > server.1=a.foo.com:2888:3888
> > server.2=b.foo.com:2888:3888
> > ...
> >
> > In this case when server.2 starts, it reads the config then initiates
> > connection (for ZK internal leader election protocol) to server.1 by
> > connecting to a.foo.com:3888 and sending it's own address (
> b.foo.com:3888)
> > enabling server.1 to connect back. However, if server.2 is behind a
> proxy /
> > using kubernetes / whatever, then it is possible that you can reach
> > server.2 as b.foo.com but the ZK process on server.2 can not actually
> bind
> > on b.foo.com:3888. In this case the easiest solution is to bind on
> > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file
> of
> > server 2, since in this case server.2 would send 0.0.0.0:3888 in the
> > initial message to server.1 and server.1 would try to connect back to
> > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it comes
> > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to bind
> > on 0.0.0.0:3888 and still send a 'valid' address in the initial message,
> > an
> > address where other servers can reach it.
> >
> > I hope the explanation made it more (and not less) clear :p
> >
> > Kind regards,
> > Mate
> >
> >
> > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> > rammohanganap@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I am trying to see what are the pros and cons of setting
> > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or
> local
> > > proxy environments is not working by keeping default value (false). So
> > can
> > > someone please explain?
> > >
> > > Any way zookeeper will form quorum with the servers list from the
> > zoo.conf
> > > static file right? so by enabling this property can any server or IP
> out
> > of
> > > the zoo.conf can join the quorum?
> > >
> > > Ram
> > >
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[rammohan ganapavarapu <ra...@gmail.com>]

Mate,

Thanks for explaining, all i want to know is by enabling this property
there are no side effects or security risks.

Ram

On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
szalay.beko.mate@gmail.com> wrote:

> Hi Ram,
>
> I am not sure I understand your question. The config quorumListenOnAllIPs
> is about to specify if the ports ZooKeeper uses for Server-to-server
> communication should bind on the specified address/IP
> (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true).
>
> An example: You configure your server list using either static or dynamic
> configuration like:
> server.1=a.foo.com:2888:3888
> server.2=b.foo.com:2888:3888
> ...
>
> In this case when server.2 starts, it reads the config then initiates
> connection (for ZK internal leader election protocol) to server.1 by
> connecting to a.foo.com:3888 and sending it's own address (b.foo.com:3888)
> enabling server.1 to connect back. However, if server.2 is behind a proxy /
> using kubernetes / whatever, then it is possible that you can reach
> server.2 as b.foo.com but the ZK process on server.2 can not actually bind
> on b.foo.com:3888. In this case the easiest solution is to bind on
> 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file of
> server 2, since in this case server.2 would send 0.0.0.0:3888 in the
> initial message to server.1 and server.1 would try to connect back to
> server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it comes
> handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to bind
> on 0.0.0.0:3888 and still send a 'valid' address in the initial message,
> an
> address where other servers can reach it.
>
> I hope the explanation made it more (and not less) clear :p
>
> Kind regards,
> Mate
>
>
> On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Hi,
> >
> > I am trying to see what are the pros and cons of setting
> > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or local
> > proxy environments is not working by keeping default value (false). So
> can
> > someone please explain?
> >
> > Any way zookeeper will form quorum with the servers list from the
> zoo.conf
> > static file right? so by enabling this property can any server or IP out
> of
> > the zoo.conf can join the quorum?
> >
> > Ram
> >
>

Re: Side affects of setting quorumListenOnAllIPs to true

[Szalay-Bekő Máté <sz...@gmail.com>]

Hi Ram,

I am not sure I understand your question. The config quorumListenOnAllIPs
is about to specify if the ports ZooKeeper uses for Server-to-server
communication should bind on the specified address/IP
(quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true).

An example: You configure your server list using either static or dynamic
configuration like:
server.1=a.foo.com:2888:3888
server.2=b.foo.com:2888:3888
...

In this case when server.2 starts, it reads the config then initiates
connection (for ZK internal leader election protocol) to server.1 by
connecting to a.foo.com:3888 and sending it's own address (b.foo.com:3888)
enabling server.1 to connect back. However, if server.2 is behind a proxy /
using kubernetes / whatever, then it is possible that you can reach
server.2 as b.foo.com but the ZK process on server.2 can not actually bind
on b.foo.com:3888. In this case the easiest solution is to bind on
0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file of
server 2, since in this case server.2 would send 0.0.0.0:3888 in the
initial message to server.1 and server.1 would try to connect back to
server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it comes
handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to bind
on 0.0.0.0:3888 and still send a 'valid' address in the initial message, an
address where other servers can reach it.

I hope the explanation made it more (and not less) clear :p

Kind regards,
Mate


On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> Hi,
>
> I am trying to see what are the pros and cons of setting
> quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or local
> proxy environments is not working by keeping default value (false). So can
> someone please explain?
>
> Any way zookeeper will form quorum with the servers list from the zoo.conf
> static file right? so by enabling this property can any server or IP out of
> the zoo.conf can join the quorum?
>
> Ram
>