You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by David Graf <da...@28msec.com> on 2009/06/16 16:19:59 UTC
Authentification for Zookeeper Server
Hello
I've implemented a locking service with ZooKeeper (in C++). It was
pretty easy to implement! Now, I would like to set up some kind of
authentification on the server(s) to avoid that others are using my
ZooKeeper server(s).
How can I do that? In the documentation (zookeeerProgrammers.pdf), I
only found a paragraph that describes how to set up an access control
list on every node. But nowhere, I found a possibility to set an
authentification mechanism on the complete ZooKeeper server.
David Graf
Re: Authentification for Zookeeper Server
Posted by Mahadev Konar <ma...@yahoo-inc.com>.
Hi David,
Good question. You can set acls on the root. There is a minor bug related
to it (though its easy to get around it).
The jira is
http://issues.apache.org/jira/browse/ZOOKEEPER-433
The bug is that ZooKeeper does not allow you to do a get acl on the root if
it has not been set. You will still be able to set acl on the root and then
do a getacl with the right auth but just that a get acl on a raw root node
without any acl's being set by admin/user fails.
Hope that helps
mahadev
On 6/17/09 12:56 AM, "David Graf" <da...@28msec.com> wrote:
> Hello
>
> Thanks a lot for the answers!
>
> Due to the fact that I am running my ZooKeeper servers and clients on
> Amazon EC2 instances, using the ec2 Security Groups might be the best
> choice.
>
> Nevertheless, I have a question concerning the authentification on the
> znode level. How is it possible to prevent clients creating node on
> the root level? Is it also possible to set an ACL on the root
> (although the root is not created by a client)?
>
> David
Re: Authentification for Zookeeper Server
Posted by David Graf <da...@28msec.com>.
Hello
Thanks a lot for the answers!
Due to the fact that I am running my ZooKeeper servers and clients on
Amazon EC2 instances, using the ec2 Security Groups might be the best
choice.
Nevertheless, I have a question concerning the authentification on the
znode level. How is it possible to prevent clients creating node on
the root level? Is it also possible to set an ACL on the root
(although the root is not created by a client)?
David
Re: Authentification for Zookeeper Server
Posted by Ted Dunning <te...@gmail.com>.
The only things that you can do without pretty solid crypto support are
authorized host lists and misplacing the trust to the client machines
authentication. Since these provide next to no security (except for
limiting connections to localhost), there isn't much point in making this
kind of authentication pluggable. Stunnel + only-localhost + current
security (pluggable) limits should be pretty good, though.
On Tue, Jun 16, 2009 at 6:01 PM, Gustavo Niemeyer <n1...@gmail.com>wrote:
> > Remember that the patch is almost trivial. Add a configuration option
> > acceptConnectionsOnlyFromLocalHost, and then in the server connect logic
> > reject non-localhost attempts (and log a security note).
>
> Sorry, I was actually pondering about it in comparison with the
> investment in implementing some kind of plugin system to allow
> server-wide access restrictions. This shouldn't be too hard to hack
> in either, but it'd be best to have some kind of agreement on how to
> do it "correctly" so that the work can be integrated upstream, and
> this would require some additional involvement to get the APIs right.
Re: Authentification for Zookeeper Server
Posted by Gustavo Niemeyer <n1...@gmail.com>.
> Remember that the patch is almost trivial. Add a configuration option
> acceptConnectionsOnlyFromLocalHost, and then in the server connect logic
> reject non-localhost attempts (and log a security note).
Sorry, I was actually pondering about it in comparison with the
investment in implementing some kind of plugin system to allow
server-wide access restrictions. This shouldn't be too hard to hack
in either, but it'd be best to have some kind of agreement on how to
do it "correctly" so that the work can be integrated upstream, and
this would require some additional involvement to get the APIs right.
--
Gustavo Niemeyer
http://niemeyer.net
Re: Authentification for Zookeeper Server
Posted by Ted Dunning <te...@gmail.com>.
Remember that the patch is almost trivial. Add a configuration option
acceptConnectionsOnlyFromLocalHost, and then in the server connect logic
reject non-localhost attempts (and log a security note).
On Tue, Jun 16, 2009 at 2:53 PM, Gustavo Niemeyer <gu...@niemeyer.net>wrote:
> but the stunnel solution
> should give me a good path without having to invest in patching
> ZooKeeper for a while.
>
Re: Authentification for Zookeeper Server
Posted by Gustavo Niemeyer <gu...@niemeyer.net>.
> I think that the stunnel suggestion actually covers what you want here.
>
> You can set stunnel up so that it listens to a known port and it decrypts
> and forwards traffic to the local zookeeper client port. You can guarantee
> that no direct connections are possible to the zookeeper in a variety of
> ways, the simplest being a change to zookeeper to allow it to insist that
> all connections be from localhost.
>
> Stunnel can also insist on client certificates so that only approved clients
> would be able to connect.
Indeed, this would cover it reasonably well. I'd still prefer to have
ZooKeeper itself protecting against unauthorized access to its service
so that the deployment would be simpler, but the stunnel solution
should give me a good path without having to invest in patching
ZooKeeper for a while.
Thanks again for the suggestions.
--
Gustavo Niemeyer
http://niemeyer.net
Re: Authentification for Zookeeper Server
Posted by Ted Dunning <te...@gmail.com>.
I think that the stunnel suggestion actually covers what you want here.
You can set stunnel up so that it listens to a known port and it decrypts
and forwards traffic to the local zookeeper client port. You can guarantee
that no direct connections are possible to the zookeeper in a variety of
ways, the simplest being a change to zookeeper to allow it to insist that
all connections be from localhost.
Stunnel can also insist on client certificates so that only approved clients
would be able to connect.
Your packaged version of zookeeper would include both zookeeper and
stunnel. You would recommend that iptables be set up to prevent any
attempted connections, but this would only be defense in depth.
On Tue, Jun 16, 2009 at 12:22 PM, Gustavo Niemeyer <gu...@niemeyer.net>wrote:
> > For cluster wide security, I think it is also important to use networking
> > hardware security. In EC2, this corresponds to the security groups. For
> > Linux itself, you do this using iptables.
>
> That's the impression I had as well. Do you think it'd be too tricky
> to implement an equivalent pluggable authentication scheme which would
> operate at the server level? E.g. something that would allow using a
> shared secret safely, or certificates.
>
> I'm pondering about the possibility of offering ZooKeeper embedded in
> another system, so it'd be best if the system security wasn't
> dependent on the network setup which is left to the user that deploys
> the packed system.
--
Ted Dunning, CTO
DeepDyve
111 West Evelyn Ave. Ste. 202
Sunnyvale, CA 94086
http://www.deepdyve.com
858-414-0013 (m)
408-773-0220 (fax)
Re: Authentification for Zookeeper Server
Posted by Gustavo Niemeyer <gu...@niemeyer.net>.
[Mahadev Konar]
> The auth plugin works at the znode level . The server side authentication
> I was talking about is just to verify the authentication for a zookeeper
> client for creating/reading/changing znodes in ZooKeeper.
Ok, understood. Thanks for these details.
[Ted Dunning]
> For cluster wide security, I think it is also important to use networking
> hardware security. In EC2, this corresponds to the security groups. For
> Linux itself, you do this using iptables.
That's the impression I had as well. Do you think it'd be too tricky
to implement an equivalent pluggable authentication scheme which would
operate at the server level? E.g. something that would allow using a
shared secret safely, or certificates.
I'm pondering about the possibility of offering ZooKeeper embedded in
another system, so it'd be best if the system security wasn't
dependent on the network setup which is left to the user that deploys
the packed system.
> The basic idea is that you can lock down the network access to the cluster
> so that to access your ZK cluster, you actually have to be running on a
> correct machine.
>
> This doesn't satisfy the original need, but is an important defense in depth
> adjunct to it.
Makes perfect sense.
> Another way to get connection level security on ZK access would be to use
> something like ssh or stunnel to allow access to the cluster which is
> otherwise completely locked down except for the ZK nodes talking to each
> other. This approach does meet the original requirements (I think).
I think so as well. For the same reasons outlined above, it'd be
fantastic to have the authentication system being independent from the
specific deployment environment. But this is definitely a viable
alternative otherwise. It also brings encryption as a plus.
Thanks for these ideas,
--
Gustavo Niemeyer
http://niemeyer.net
Re: Authentification for Zookeeper Server
Posted by Ted Dunning <te...@gmail.com>.
For cluster wide security, I think it is also important to use networking
hardware security. In EC2, this corresponds to the security groups. For
Linux itself, you do this using iptables.
The basic idea is that you can lock down the network access to the cluster
so that to access your ZK cluster, you actually have to be running on a
correct machine.
This doesn't satisfy the original need, but is an important defense in depth
adjunct to it.
Another way to get connection level security on ZK access would be to use
something like ssh or stunnel to allow access to the cluster which is
otherwise completely locked down except for the ZK nodes talking to each
other. This approach does meet the original requirements (I think).
On Tue, Jun 16, 2009 at 10:42 AM, Mahadev Konar <ma...@yahoo-inc.com>wrote:
> So, if you want it
> to work at the server level, you will have to add authentication to all the
> znodes that you create in ZooKeeper, so non authenticated clients would not
> be able to read anything in ZooKeeper.
>
Re: Authentification for Zookeeper Server
Posted by Mahadev Konar <ma...@yahoo-inc.com>.
HI Gustavo,
> or is the idea that you simply allow the
> client to connect, but prevent it from touching any node at all using
> ACLs?
Yes.
The auth plugin works at the znode level . The server side authentication
I was talking about is just to verify the authentication for a zookeeper
client for creating/reading/changing znodes in ZooKeeper. So, if you want it
to work at the server level, you will have to add authentication to all the
znodes that you create in ZooKeeper, so non authenticated clients would not
be able to read anything in ZooKeeper. If you create znodes with no auths,
clients without authentication might be able to read it.
Hope this answers your question.
Thanks
mahadev
On 6/16/09 9:57 AM, "Gustavo Niemeyer" <gu...@niemeyer.net> wrote:
> Hello there,
>
> I'm an interested newcomer to ZooKeeper, so please forgive me if I
> miss some important basic detail.
>
> I actually had the same high-level question than the original poster,
> so I'm interested in the response too.
>
>> There is a jira open to document this in our forrest docs -
>>
>> http://issues.apache.org/jira/browse/ZOOKEEPER-329.
>>
>> Ill try and explain how to do in the email, feel free to respond with more
>> questions. The c and java api both have a call called add_auth/addAuth to
>> add authentication data for a client. Also, you can write pulgins at the
>> server side to verify this authentication. Take a look at files in
>> src/java/main/org/apache/zookeeper/server/auth/.
>
> Oh, interesting. So the auth plugin API works both at the node level
> and at the server level, or is the idea that you simply allow the
> client to connect, but prevent it from touching any node at all using
> ACLs?
Re: Authentification for Zookeeper Server
Posted by Gustavo Niemeyer <gu...@niemeyer.net>.
Hello there,
I'm an interested newcomer to ZooKeeper, so please forgive me if I
miss some important basic detail.
I actually had the same high-level question than the original poster,
so I'm interested in the response too.
> There is a jira open to document this in our forrest docs -
>
> http://issues.apache.org/jira/browse/ZOOKEEPER-329.
>
> Ill try and explain how to do in the email, feel free to respond with more
> questions. The c and java api both have a call called add_auth/addAuth to
> add authentication data for a client. Also, you can write pulgins at the
> server side to verify this authentication. Take a look at files in
> src/java/main/org/apache/zookeeper/server/auth/.
Oh, interesting. So the auth plugin API works both at the node level
and at the server level, or is the idea that you simply allow the
client to connect, but prevent it from touching any node at all using
ACLs?
--
Gustavo Niemeyer
http://niemeyer.net
Re: Authentification for Zookeeper Server
Posted by Mahadev Konar <ma...@yahoo-inc.com>.
Hi David,
There is a jira open to document this in our forrest docs -
http://issues.apache.org/jira/browse/ZOOKEEPER-329.
Ill try and explain how to do in the email, feel free to respond with more
questions. The c and java api both have a call called add_auth/addAuth to
add authentication data for a client. Also, you can write pulgins at the
server side to verify this authentication. Take a look at files in
src/java/main/org/apache/zookeeper/server/auth/.
Also, you can add a new authentication to the server using java system
property
zookeeper.authProvider.newAuth=classname.
After adding the authdata using client addauth api's you can use the
CREATOR_ALL_ACL which means that all the auths that you added using add_auth
will be stored with a znode that you create and will be required to specify
if you want to access those znodes again.
This is a very short explanation, so please feel free to ask more questions
on it.
thanks
mahadev
On 6/16/09 7:19 AM, "David Graf" <da...@28msec.com> wrote:
> Hello
>
> I've implemented a locking service with ZooKeeper (in C++). It was
> pretty easy to implement! Now, I would like to set up some kind of
> authentification on the server(s) to avoid that others are using my
> ZooKeeper server(s).
>
> How can I do that? In the documentation (zookeeerProgrammers.pdf), I
> only found a paragraph that describes how to set up an access control
> list on every node. But nowhere, I found a possibility to set an
> authentification mechanism on the complete ZooKeeper server.
>
> David Graf