zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remi Serrano <rserr...@pros.com>
Subject RE: Client-Server authentication with DIGEST-MD5
Date Wed, 11 Apr 2018 10:02:26 GMT
Perfect. Thanks Enrico. It is the 'setAcl /  ' that I was missing.

Rémi


-----Message d'origine-----
De : Enrico Olivelli [mailto:eolivelli@gmail.com] 
Envoyé : Wednesday, April 11, 2018 11:12
À : UserZooKeeper <user@zookeeper.apache.org>
Objet : Re: Client-Server authentication with DIGEST-MD5

2018-04-11 11:08 GMT+02:00 Remi Serrano <rserrano@pros.com>:

> Thank you very much Enrico,
>
> So let's move at ACL level. If I create a new node as :
>
> Create /mynode content sasl:myuser:mydigest:crdwa
>
> Indeed only the authenticated myuser is able to READ /mynode... BUT 
> any other non authenticated user can DELETE the node. How can I prevent this ?
> I Could not find explicit solution in the doc.
>


I am not sure but I think that in order to prevent deletion you have to set ACLs on the parent,
in this case '/', and I don't know if is is possible.
If a node has children it cannot be deleted, so maybe the solution for you is to create a
special "root" node, like /myapp and set ACLs on it and on every children.

This is actually what I am doing.
Hope that helps

Enrico



>
> Regards,
>
> Rémi
>
> -----Message d'origine-----
> De : Enrico Olivelli [mailto:eolivelli@gmail.com] Envoyé : Tuesday, 
> April 10, 2018 15:51 À : UserZooKeeper <user@zookeeper.apache.org> 
> Objet : Re: Client-Server authentication with DIGEST-MD5
>
> 2018-04-10 15:22 GMT+02:00 Remi Serrano <rserrano@pros.com>:
>
> > Hello
> >
> > I'm trying to secure my ZK cluster. To do so I'm trying to leverage 
> > both
> :
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi
> > ki 
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse
> > rr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637
> > 90 
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ
> > XV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Server-Server+mutual+authentication
> > and
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi
> > ki 
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse
> > rr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637
> > 90 
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ
> > XV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Client-Server+mutual+authentication
> >
> > The Server to Server works fine. However, the Client to Server seems 
> > to be useless as here is the behavior I get :
> >
> >   *   Client using a declared user on the server + good password CAN
> > connect
> >   *   Client using a declared user on the server + bad password CANNOT
> > connect
> >   *   Client using a non  declared user on the Server CANNOT connect
> > so far so good... but :
> >
> >   *   Client using NO user at all CAN connect !!!
> >
>
>
> This is expected. Client auth is mostly used together with ACLs, 
> otherwise AFAIK is pretty useless in ZK.
>
> Please not that MD5 is not "secure" at all, and consider using 
> SASL/Kerberos for a production environment.
>
> Cheers
> Enrico
>
>
> >
> > Any hint ?
> >
> >
>
Mime
View raw message