You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Michael Angel <an...@mit.edu> on 2020/01/10 18:20:59 UTC

Secure Configuration of Zookeeper


What resources are available to help harden a Zookeeper installation?
What Zookeeper files should be watched with custom auditing rules?
Reviewing the Zookeeper documentation we don't see many security configuration recommendations beyond the ACL section.

Background: we are running a 3 node Zookeeper for most projects under RHEL 7.7 Systems minimal installs with SELinux, FIPS, and STIG standards.
Zookeeper we are using to support a 3 node Kafka installation.
We are offloading Zookeeper logs to our Central Logging system.
We are blocking the Zookeeper mangement tcp port 2181.


thanks,

Michael Angel

Re: Secure Configuration of Zookeeper

Posted by Andor Molnar <an...@apache.org>.
Hi Michael,

Very nice topic indeed. Answers inline.


> On 2020. Jan 10., at 19:20, Michael Angel <an...@mit.edu> wrote:
> 
> 
> 
> What resources are available to help harden a Zookeeper installation?


Not much unfortunately. I’m thinking about a new wiki page which would be ideal for this. Currently you can find security related topics in the admin guide, but that’s probably far from complete. What we have currently is:

- Quorum TLS - wire encryption between quorum members:
https://zookeeper.apache.org/doc/r3.5.6/zookeeperAdmin.html#Quorum+TLS

- Client-Server TLS - wire encryption between client and server:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

- Server-Server and Client-Server mutual authentication:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL

- ACL system
https://zookeeper.apache.org/doc/r3.5.6/zookeeperProgrammers.html#sc_ZooKeeperAccessControl


> What Zookeeper files should be watched with custom auditing rules?
> Reviewing the Zookeeper documentation we don't see many security configuration recommendations beyond the ACL section.


What do you mean by ‘custom auditing rules’?


> Background: we are running a 3 node Zookeeper for most projects under RHEL 7.7 Systems minimal installs with SELinux, FIPS, and STIG standards.
> Zookeeper we are using to support a 3 node Kafka installation.
> We are offloading Zookeeper logs to our Central Logging system.
> We are blocking the Zookeeper mangement tcp port 2181.


That’s usually the standard secure client port. You could also disable the non-secure client port to close that door too.
Setting up an RBAC system or SELinux would also be nice, but we don’t provide rulesets for them.

Andor