zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Mallassi <olivier.malla...@gmail.com>
Subject Re: Zookeeper, security and zkCli
Date Tue, 17 Jun 2014 14:43:29 GMT
Hi all

I am trying to use the IP based filter and I am facing an issue that I do
not know how to figure out
Here is my code to create a node
 authentSession = new ZooKeeper(host, 100000, watcher);
 authentSession.create(path, "ValueOfNode".getBytes(), getACLs(),
CreateMode.PERSISTENT);

I do not explicitly call the addAuthInfo("ip"..) because it is
automatically added.

and here is the getACLs() method
    private static List<ACL> getACLs() throws UnknownHostException {
        Id id = new Id("ip", "192.168.56.0/24");/*
AclIpBasedIntegrationTests.getHostIp()+*/
        List<ACL> aclLst = new ArrayList<ACL>();
        aclLst.add(new ACL(ZooDefs.Perms.ALL, id));

        return aclLst;
    }

It works perfectly if I replace 192.168.56.0/24 with the "real" IP
(192.168.56.101 in my case).
but with the IP mask, it fails

41777001d, packet:: clientPath:null serverPath:null finished:false header::
1,1  replyHeader:: 1,34359738454,-114  request::
'/purClient_192.168.56.101_7d0e7452-2d81-4cc5-92a5-3f7a4b5d0989,#56616c75654f664e6f6465,v{s{31,s{*'ip,'192.168.56.0/24
<http://192.168.56.0/24>*}}},0  response::
org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode =
InvalidACL for
/purClient_192.168.56.101_7d0e7452-2d81-4cc5-92a5-3f7a4b5d0989
at org.apache.zookeeper.KeeperException.create(KeeperException.java:121)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)

Looking at the code (+ remote debug), and the method fixupACL(..) in
PrepRequestProcessor
- the fixupACL() is called with 2 param List<Id> authInfo, List<ACL> acl .
authinfo contains {ip, 192.168.56.101} so the client IP and acl contains
{ip, 192.168.56.0/24} so the specified ACL.
- we call the isValid() method on IPAuthencationProvider (
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L963)
with a parameter id.getId() but id is not one of the authInfo (in
parameter) but one associated with the current acl.
- so we call isValid() not with the specified ACL (in my case
192.168.56.0/24) and not with the provided authInfo (192.168.56.101)
- so the isValid() fails to parse the IP cause the last "number" (parts[3])
is 0/24 (
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java#L62
)

is it the expected behavior?
did I miss something?

I can clearly provide my own IPAuthenticationProvider to override the
isValid()

thx for your answer.

Regards.





On Wed, May 28, 2014 at 8:21 PM, Olivier Mallassi <
olivier.mallassi@gmail.com> wrote:

> Yep that s what I saw
> I think that will do the job
>
> Thx
>
> On Wednesday, May 28, 2014, Michi Mutsuzaki <michi@cs.stanford.edu> wrote:
>
>> Hi Olivier,
>>
>> There is an "ip" authentication scheme.
>>
>>
>> https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes
>>
>> On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi
>> <olivier.mallassi@gmail.com> wrote:
>> > hi all
>> >
>> > I am facing a "security issue" with Zookeeper (not from the impl but
>> from
>> > the "design" standpoint)
>> >
>> > we will use ZK as a service discovery registry (pure common usage...)
>> but
>> > we would like that some znodes do not be updated without auhtentication.
>> >
>> > we tested ACL and it works fine but the "limitations" that I see are (1)
>> > pwd transported in clear and (2) you need to manage technical users (so
>> pwd
>> > storage, encryptions, etc etc..)
>> >
>> > So we prefer not using ACL and keep anonymous access on all nodes.
>> >
>> > But, we are facing "issues" with zkCli because any machine having zkcli
>> can
>> > connect to the Zookeeper ensemble and modify structure / values.
>> >
>> > To be honnest, I would prefer a solution based on the fact we have a
>> white
>> > list of IPs allowed to access ZK, we control the ssh keys to connect to
>> the
>> > machines etc...Can we do that?
>> >
>> > more generally, do you have experience to share with me? how would you
>> > handle that? any suggestions would be welcomed.
>> >
>> > Regards.
>> > PS : we are using curator so maybe the ACLProvider could help (to
>> access an
>> > LDAP or...)
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message