You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Olivier Mallassi <ol...@gmail.com> on 2014/05/28 09:21:00 UTC
Zookeeper, security and zkCli
hi all
I am facing a "security issue" with Zookeeper (not from the impl but from
the "design" standpoint)
we will use ZK as a service discovery registry (pure common usage...) but
we would like that some znodes do not be updated without auhtentication.
we tested ACL and it works fine but the "limitations" that I see are (1)
pwd transported in clear and (2) you need to manage technical users (so pwd
storage, encryptions, etc etc..)
So we prefer not using ACL and keep anonymous access on all nodes.
But, we are facing "issues" with zkCli because any machine having zkcli can
connect to the Zookeeper ensemble and modify structure / values.
To be honnest, I would prefer a solution based on the fact we have a white
list of IPs allowed to access ZK, we control the ssh keys to connect to the
machines etc...Can we do that?
more generally, do you have experience to share with me? how would you
handle that? any suggestions would be welcomed.
Regards.
PS : we are using curator so maybe the ACLProvider could help (to access an
LDAP or...)
Re: Zookeeper, security and zkCli
Posted by Olivier Mallassi <ol...@gmail.com>.
Hi all
I am trying to use the IP based filter and I am facing an issue that I do
not know how to figure out
Here is my code to create a node
authentSession = new ZooKeeper(host, 100000, watcher);
authentSession.create(path, "ValueOfNode".getBytes(), getACLs(),
CreateMode.PERSISTENT);
I do not explicitly call the addAuthInfo("ip"..) because it is
automatically added.
and here is the getACLs() method
private static List<ACL> getACLs() throws UnknownHostException {
Id id = new Id("ip", "192.168.56.0/24");/*
AclIpBasedIntegrationTests.getHostIp()+*/
List<ACL> aclLst = new ArrayList<ACL>();
aclLst.add(new ACL(ZooDefs.Perms.ALL, id));
return aclLst;
}
It works perfectly if I replace 192.168.56.0/24 with the "real" IP
(192.168.56.101 in my case).
but with the IP mask, it fails
41777001d, packet:: clientPath:null serverPath:null finished:false header::
1,1 replyHeader:: 1,34359738454,-114 request::
'/purClient_192.168.56.101_7d0e7452-2d81-4cc5-92a5-3f7a4b5d0989,#56616c75654f664e6f6465,v{s{31,s{*'ip,'192.168.56.0/24
<http://192.168.56.0/24>*}}},0 response::
org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode =
InvalidACL for
/purClient_192.168.56.101_7d0e7452-2d81-4cc5-92a5-3f7a4b5d0989
at org.apache.zookeeper.KeeperException.create(KeeperException.java:121)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
Looking at the code (+ remote debug), and the method fixupACL(..) in
PrepRequestProcessor
- the fixupACL() is called with 2 param List<Id> authInfo, List<ACL> acl .
authinfo contains {ip, 192.168.56.101} so the client IP and acl contains
{ip, 192.168.56.0/24} so the specified ACL.
- we call the isValid() method on IPAuthencationProvider (
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L963)
with a parameter id.getId() but id is not one of the authInfo (in
parameter) but one associated with the current acl.
- so we call isValid() not with the specified ACL (in my case
192.168.56.0/24) and not with the provided authInfo (192.168.56.101)
- so the isValid() fails to parse the IP cause the last "number" (parts[3])
is 0/24 (
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java#L62
)
is it the expected behavior?
did I miss something?
I can clearly provide my own IPAuthenticationProvider to override the
isValid()
thx for your answer.
Regards.
On Wed, May 28, 2014 at 8:21 PM, Olivier Mallassi <
olivier.mallassi@gmail.com> wrote:
> Yep that s what I saw
> I think that will do the job
>
> Thx
>
> On Wednesday, May 28, 2014, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
>
>> Hi Olivier,
>>
>> There is an "ip" authentication scheme.
>>
>>
>> https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes
>>
>> On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi
>> <ol...@gmail.com> wrote:
>> > hi all
>> >
>> > I am facing a "security issue" with Zookeeper (not from the impl but
>> from
>> > the "design" standpoint)
>> >
>> > we will use ZK as a service discovery registry (pure common usage...)
>> but
>> > we would like that some znodes do not be updated without auhtentication.
>> >
>> > we tested ACL and it works fine but the "limitations" that I see are (1)
>> > pwd transported in clear and (2) you need to manage technical users (so
>> pwd
>> > storage, encryptions, etc etc..)
>> >
>> > So we prefer not using ACL and keep anonymous access on all nodes.
>> >
>> > But, we are facing "issues" with zkCli because any machine having zkcli
>> can
>> > connect to the Zookeeper ensemble and modify structure / values.
>> >
>> > To be honnest, I would prefer a solution based on the fact we have a
>> white
>> > list of IPs allowed to access ZK, we control the ssh keys to connect to
>> the
>> > machines etc...Can we do that?
>> >
>> > more generally, do you have experience to share with me? how would you
>> > handle that? any suggestions would be welcomed.
>> >
>> > Regards.
>> > PS : we are using curator so maybe the ACLProvider could help (to
>> access an
>> > LDAP or...)
>>
>
Re: Zookeeper, security and zkCli
Posted by Olivier Mallassi <ol...@gmail.com>.
Yep that s what I saw
I think that will do the job
Thx
On Wednesday, May 28, 2014, Michi Mutsuzaki <mi...@cs.stanford.edu> wrote:
> Hi Olivier,
>
> There is an "ip" authentication scheme.
>
>
> https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes
>
> On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi
> <olivier.mallassi@gmail.com <javascript:;>> wrote:
> > hi all
> >
> > I am facing a "security issue" with Zookeeper (not from the impl but from
> > the "design" standpoint)
> >
> > we will use ZK as a service discovery registry (pure common usage...) but
> > we would like that some znodes do not be updated without auhtentication.
> >
> > we tested ACL and it works fine but the "limitations" that I see are (1)
> > pwd transported in clear and (2) you need to manage technical users (so
> pwd
> > storage, encryptions, etc etc..)
> >
> > So we prefer not using ACL and keep anonymous access on all nodes.
> >
> > But, we are facing "issues" with zkCli because any machine having zkcli
> can
> > connect to the Zookeeper ensemble and modify structure / values.
> >
> > To be honnest, I would prefer a solution based on the fact we have a
> white
> > list of IPs allowed to access ZK, we control the ssh keys to connect to
> the
> > machines etc...Can we do that?
> >
> > more generally, do you have experience to share with me? how would you
> > handle that? any suggestions would be welcomed.
> >
> > Regards.
> > PS : we are using curator so maybe the ACLProvider could help (to access
> an
> > LDAP or...)
>
Re: Zookeeper, security and zkCli
Posted by Michi Mutsuzaki <mi...@cs.stanford.edu>.
Hi Olivier,
There is an "ip" authentication scheme.
https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes
On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi
<ol...@gmail.com> wrote:
> hi all
>
> I am facing a "security issue" with Zookeeper (not from the impl but from
> the "design" standpoint)
>
> we will use ZK as a service discovery registry (pure common usage...) but
> we would like that some znodes do not be updated without auhtentication.
>
> we tested ACL and it works fine but the "limitations" that I see are (1)
> pwd transported in clear and (2) you need to manage technical users (so pwd
> storage, encryptions, etc etc..)
>
> So we prefer not using ACL and keep anonymous access on all nodes.
>
> But, we are facing "issues" with zkCli because any machine having zkcli can
> connect to the Zookeeper ensemble and modify structure / values.
>
> To be honnest, I would prefer a solution based on the fact we have a white
> list of IPs allowed to access ZK, we control the ssh keys to connect to the
> machines etc...Can we do that?
>
> more generally, do you have experience to share with me? how would you
> handle that? any suggestions would be welcomed.
>
> Regards.
> PS : we are using curator so maybe the ACLProvider could help (to access an
> LDAP or...)