zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ramkumar (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ZOOKEEPER-1736) Zookeeper SASL authentication allows anonymus users to log in
Date Mon, 23 Oct 2017 15:49:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215318#comment-16215318
] 

Ramkumar edited comment on ZOOKEEPER-1736 at 10/23/17 3:48 PM:
---------------------------------------------------------------

I am also curious to know why this is not an issue /defect. I am trying to protect zookeeper
in kubernetes cluster from other users to access zookeeper. I tried to set up SASL  in zookeeper
and set a user in /broker node in zookeeper so that Kafka reject the connections to zookeeper
if they dont specify the right user. However I observer, Kafka still makes connection successfully
if they dont have "client" configuration set up. This means anonymous connection is still
allowed to connect and use the zookeeper. did I miss some thing to learn why this is not a
bug?


was (Author: ram_amb@yahoo.com):
I am also curious to know why this is not an issue /defect. I am trying to protect zookeeper
in kubernetes cluster from other users to access zookeeper. I tried to set up SASL set up
in zookeeper and set a user in /broker node so that Kafka user wont be able to connect to
zookeeper if they dont specify the right user. However if Kafka still makes connection successfully
if they dont have "client" configuration set up. This means anonymous connection is still
allowed to connect and use the zookeeper. did I miss some thing?

> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1736
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>         Environment: Development
>            Reporter: AntonioS
>
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary username and
password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
>     org.apache.zookeeper.server.auth.DigestLoginModule required
>     user_admin="admin";
> };
> Client {
>     org.apache.zookeeper.server.auth.DigestLoginModule required
>     username="admin"
>     password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I authenticate, otherwise
not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper allows
me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code,  in particular the  ZookeeperServer.java, this method:
>     public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException
{
> The section below:
> } else {
>             if (h.getType() == OpCode.sasl) {
>                 Record rsp = processSasl(incomingBuffer,cnxn);
>                 ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
>                 cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what
is it?
>             }
>             else {
>                 Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
>                   h.getType(), incomingBuffer, cnxn.getAuthInfo());
>                 si.setOwner(ServerCnxn.me);
>                 submitRequest(si);
>             }
>         }
> The else flow  appears to just forward any anonymous request  to the handler, without
attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
> Thanks
> Antonio



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message