zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1736) Zookeeper SASL authentication allows anonymus users to log in
Date Wed, 19 Dec 2018 19:36:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725304#comment-16725304

Rob commented on ZOOKEEPER-1736:

I agree, this should be a bug based upon the original description of the issue (1634) 

Which states: "We want to protect a ZK server by enforcing a simple authentication to every
client no matter which znode it is trying to access. *Every connection (or operation) from
the client won't be established but rejected if it doesn't come with a valid authentication
information.* As we don't have any other distinction between znodes in term of authorization,
we don't want any ACLs on any znode."

But the code implemented only is exercised if a SASL connection is requested to start with. 
It does not address plaintext connection requests coming in on the same zookeeper port. If
no authentication mechanism is provided, then the connections is made with “world” access

If this code is not intended to address plaintext connections, there needs to be another security
parameter to expressly allow or disallow unsecure(plaintext)  connections to the zookeeper.
Something like zookeeper.allowUnauthenticatedClients= ture/false

> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>                 Key: ZOOKEEPER-1736
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>         Environment: Development
>            Reporter: AntonioS
>            Priority: Major
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary username and
password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
>     org.apache.zookeeper.server.auth.DigestLoginModule required
>     user_admin="admin";
> };
> Client {
>     org.apache.zookeeper.server.auth.DigestLoginModule required
>     username="admin"
>     password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I authenticate, otherwise
not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper allows
me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code,  in particular the  ZookeeperServer.java, this method:
>     public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException
> The section below:
> } else {
>             if (h.getType() == OpCode.sasl) {
>                 Record rsp = processSasl(incomingBuffer,cnxn);
>                 ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue());
>                 cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what
is it?
>             }
>             else {
>                 Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(),
>                   h.getType(), incomingBuffer, cnxn.getAuthInfo());
>                 si.setOwner(ServerCnxn.me);
>                 submitRequest(si);
>             }
>         }
> The else flow  appears to just forward any anonymous request  to the handler, without
attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
> Thanks
> Antonio

This message was sent by Atlassian JIRA

View raw message