zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli <eolive...@gmail.com>
Subject Re: Client-Server authentication with DIGEST-MD5
Date Tue, 10 Apr 2018 13:51:14 GMT
2018-04-10 15:22 GMT+02:00 Remi Serrano <rserrano@pros.com>:

> Hello
>
> I'm trying to secure my ZK cluster. To do so I'm trying to leverage both :
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> Server-Server+mutual+authentication
> and
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> Client-Server+mutual+authentication
>
> The Server to Server works fine. However, the Client to Server seems to be
> useless as here is the behavior I get :
>
>   *   Client using a declared user on the server + good password CAN
> connect
>   *   Client using a declared user on the server + bad password CANNOT
> connect
>   *   Client using a non  declared user on the Server CANNOT connect
> so far so good... but :
>
>   *   Client using NO user at all CAN connect !!!
>


This is expected. Client auth is mostly used together with ACLs, otherwise
AFAIK is pretty useless in ZK.

Please not that MD5 is not "secure" at all, and consider using
SASL/Kerberos for a production environment.

Cheers
Enrico


>
> Any hint ?
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message