You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by Jaewoong Choi <jw...@yahoo-inc.com> on 2012/11/21 20:46:05 UTC

Authentication mechanism

Hi,

I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario first.

1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.

This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.

Here come some questions.

1. Is the above scenario true?
2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?

Regards,
Jaewoong

Re: Authentication mechanism

Posted by Michi Mutsuzaki <mi...@cs.stanford.edu>.

Hi Jaewoong,

>>> 1. Is the above scenario true?

Yes. Initially the root znode ("/") is open to world:anyone. You need
to set the permission as a part of your bootstrap process.

>>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?

No. I think people usually set connection level ACLs outside of zookeeper.

--Michi

On Sun, Nov 25, 2012 at 9:07 PM, Jaewoong Choi <jw...@yahoo-inc.com> wrote:
> I believe I've read it several times.  I guess you refers to the following statement:
> "... When a client connects to ZooKeeper and authenticates itself, ZooKeeper associates all the ids that correspond to a client with the clients connection. "
>
> From my understanding based on my real tests, client authenticates by calling ZooKeeper#setAuthInfo.  In other words, authentication never happens if client bypass authentication #setAuthInfo.  Could you please confirm and clarify?  Haven't you been able to reproduce the scenario I described below?
>
> Thanks,
> Jaewoong
>
> On Nov 22, 2012, at 1:23 PM, Flavio Junqueira wrote:
>
>> Hi Jaewoong,
>>
>> I'm not sure if you have had a chance to look at the documentation:
>>
>>       http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
>>
>> My understanding is that a client authenticates when it connects.
>>
>> -Flavio
>>
>> On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:
>>
>>> Hi,
>>>
>>> I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario first.
>>>
>>> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
>>> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
>>> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.
>>>
>>> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.
>>>
>>> Here come some questions.
>>>
>>> 1. Is the above scenario true?
>>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
>>>
>>> Regards,
>>> Jaewoong
>>
>

Re: Authentication mechanism

Posted by Jaewoong Choi <jw...@yahoo-inc.com>.

I believe I've read it several times.  I guess you refers to the following statement:
"... When a client connects to ZooKeeper and authenticates itself, ZooKeeper associates all the ids that correspond to a client with the clients connection. "

>From my understanding based on my real tests, client authenticates by calling ZooKeeper#setAuthInfo.  In other words, authentication never happens if client bypass authentication #setAuthInfo.  Could you please confirm and clarify?  Haven't you been able to reproduce the scenario I described below?

Thanks,
Jaewoong

On Nov 22, 2012, at 1:23 PM, Flavio Junqueira wrote:

> Hi Jaewoong,
> 
> I'm not sure if you have had a chance to look at the documentation:
> 
> 	http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
> 
> My understanding is that a client authenticates when it connects.
> 
> -Flavio
> 
> On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:
> 
>> Hi,
>> 
>> I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario first.
>> 
>> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
>> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
>> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.
>> 
>> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.
>> 
>> Here come some questions.
>> 
>> 1. Is the above scenario true?
>> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
>> 
>> Regards,
>> Jaewoong
>

Re: Authentication mechanism

Posted by Flavio Junqueira <fp...@yahoo-inc.com>.

Hi Jaewoong,

I'm not sure if you have had a chance to look at the documentation:

	http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl

My understanding is that a client authenticates when it connects.

-Flavio

On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:

> Hi,
> 
> I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario first.
> 
> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.
> 
> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.
> 
> Here come some questions.
> 
> 1. Is the above scenario true?
> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
> 
> Regards,
> Jaewoong