zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ramkumar (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ZOOKEEPER-1736) Zookeeper SASL authentication allows anonymus users to log in
Date Mon, 23 Oct 2017 15:50:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215318#comment-16215318
] 

Ramkumar edited comment on ZOOKEEPER-1736 at 10/23/17 3:49 PM:
---------------------------------------------------------------

I am also curious to know why this is not an issue /defect. I am trying to protect zookeeper
in kubernetes cluster from other users to access zookeeper. I tried to set up SASL  in zookeeper
and set a user in /broker node in zookeeper so that Kafka reject the connections to zookeeper
if they dont specify the right user. However I observed, Kafka still makes connection successfully
if they dont have "client" configuration set up. This means anonymous connection is still
allowed to connect and use the zookeeper. did I miss some thing to learn why this is not a
bug?


was (Author: ram_amb@yahoo.com):
I am also curious to know why this is not an issue /defect. I am trying to protect zookeeper
in kubernetes cluster from other users to access zookeeper. I tried to set up SASL  in zookeeper
and set a user in /broker node in zookeeper so that Kafka reject the connections to zookeeper
if they dont specify the right user. However I observer, Kafka still makes connection successfully
if they dont have "client" configuration set up. This means anonymous connection is still
allowed to connect and use the zookeeper. did I miss some thing to learn why this is not a
bug?

> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1736
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>         Environment: Development
>            Reporter: AntonioS
>
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary username and
password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
>     org.apache.zookeeper.server.auth.DigestLoginModule required
>     user_admin="admin";
> };
> Client {
>     org.apache.zookeeper.server.auth.DigestLoginModule required
>     username="admin"
>     password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I authenticate, otherwise
not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper allows
me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code,  in particular the  ZookeeperServer.java, this method:
>     public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException
{
> The section below:
> } else {
>             if (h.getType() == OpCode.sasl) {
>                 Record rsp = processSasl(incomingBuffer,cnxn);
>                 ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
>                 cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what
is it?
>             }
>             else {
>                 Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
>                   h.getType(), incomingBuffer, cnxn.getAuthInfo());
>                 si.setOwner(ServerCnxn.me);
>                 submitRequest(si);
>             }
>         }
> The else flow  appears to just forward any anonymous request  to the handler, without
attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
> Thanks
> Antonio



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message