zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bhupendra Kumar Jain (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2699) Restrict 4lw commands based on client IP
Date Fri, 28 Apr 2017 10:50:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15988627#comment-15988627
] 

Bhupendra Kumar Jain commented on ZOOKEEPER-2699:
-------------------------------------------------

Currently 4lw commands are executed without authentication and command white-listing mechanism
is available to control DoS.  But I think still Authentication should be supported for example
IP based as mentioned in this JIRA ...  Is there any other way of authentication ?

> Restrict 4lw commands based on client IP
> ----------------------------------------
>
>                 Key: ZOOKEEPER-2699
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2699
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>            Reporter: Mohammad Arshad
>            Assignee: Mohammad Arshad
>
> Currently 4lw commands are executed without authentication and can be accessed from any
IP which has access to ZooKeeper server. ZOOKEEPER-2693 attempts to limit the 4lw commands
which are enabled by default or enabled by configuration.
> In addition to ZOOKEEPER-2693 we should also restrict 4lw commands based on client IP
as well. It is required for following scenario
> # User wants to enable all the 4lw commands
> # User wants to limit the access of the commands which are considered to be safe by default.
>  
> *Implementation:*
> we can introduce new property 4lw.commands.host.whitelist
> # By default we allow all the hosts, but off course only on the 4lw exposed commands
as per the ZOOKEEPER-2693
> # It can be configured to allow individual IPs(192.168.1.2,192.168.1.3 etc.)
> # It can also be configured to allow group of IPs like 192.168.1.*



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message