You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Mate Szalay-Beko (Jira)" <ji...@apache.org> on 2020/10/19 14:58:00 UTC

[jira] [Commented] (ZOOKEEPER-3977) Vuln Reported - Apache Zookeeper Common/Default Nodes Accessible Without ACL

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17216790#comment-17216790 ] 

Mate Szalay-Beko commented on ZOOKEEPER-3977:
---------------------------------------------

Hi,

In Jira we usually track features / bugs, but this is only a configuration / operation related question. I don't know if we have more detailed documentation on this. You can google the question, or ask this on the zookeeper user mailing list. ([https://zookeeper.apache.org/lists.html)])

The short answer is: There are many authentication providers in ZooKeeper. You can define static user/password pairs. But in secure installations people usually use SASL + Kerberos. If you have the authentication provider set, then you can create a zookeeper service user and set the ACL of the "/zookeeper" znode to be accessible only to that given user. (e.g. using ZooKeeper CLI: "setAcl /zookeeper sasl:zookeeper:rwcda" )

by-the-way: ZooKeeper 3.4.5 is an old version, not supported by the community anymore. Would you considering upgrade to the latest 3.5.x or 3.6.x version?
(from zookeeper 3.5 you can have wire encryption (TLS) and from 3.6 you can also enforce authentication, what is usually also important if you need a really secure installation)

> Vuln Reported - Apache Zookeeper Common/Default Nodes Accessible Without ACL
> ----------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3977
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3977
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: other
>    Affects Versions: 3.4.5
>         Environment: Reported on below operating systems - 
>  # CentOS
>  # Microsoft Windows 2012 R2
>  # RHEL 6.10
>  # RHEL 7.7
>  # RHEL 7.8
>            Reporter: NonOS
>            Priority: Major
>
> Vulnerability titled - Apache Zookeeper Common/Default Nodes Accessible Without ACL has been reported on our servers, and recommended solution is to enable ACL on all the nodes.
> We need assistance with steps as to how to enable ACL and how to perform application testing after enabling ACL



--
This message was sent by Atlassian Jira
(v8.3.4#803005)