zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tao Wan <Tao....@huawei.com>
Subject Question about digest scheme based ACL in ZooKeeper
Date Wed, 27 Nov 2013 16:35:41 GMT
My understanding of how digest scheme based ACL works in ZooKeeper is as follows:

1.       When creating a digest based ACL, one would add to the ACL "username:Base64(SHA1(username:password)):permissions".

2.       When accessing a zNode, a client needs to send username:password in clear text.

Here are a few questions:

a)      Is the above understanding correct? My testing says yes, but I still want to confirm
with the community.

b)      The description of digest based ACL  in ZooKeeper Programmer's Guide [1] seems  to
indicate both MD5 and SHA1 are used, which is a bit confusing and probably incorrect. Should
this description be updated ?

c)       The document [1] and the code [2] are inconsistent in terms of how a digest is generated.
 The document (and comments in the code) say that a digest is in the form of base64(SHA1(password)),
while the code generates it as base64(SHA1(username:password)). The code indeed splits the
username:password, but it still uses the whole string to generate the digest. Is it intended
to use SHA1(username:password) or a bug?

d)      A good side effect of SHA1(username:password) is that "username:" serves as a salt
to the hash, resulting in different hashes for a same password used by different users. However,
a salt is usually randomly generated and different from a username. Should we consider adding
a random salt when hashing a password?

e)      Since ZooKeeper does not currently support SSL/TLS (unless I miss something), is there
any concern to send username and password in clear text? Should an alternative with better
security be considered?


[1] http://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_ZooKeeperAccessControl

"digest uses a username:password string to generate MD5 hash which is then used as an ACL
ID identity. Authentication is done by sending the username:password in clear text. When used
in the ACL the expression will be the username:base64 encoded SHA1 password digest."

[2] generateDigest(String idPassword) in DigestAuthenticationProvider.java

  static public String generateDigest(String idPassword)
            throws NoSuchAlgorithmException {
        String parts[] = idPassword.split(":", 2);
        byte digest[] = MessageDigest.getInstance("SHA1").digest(
        return parts[0] + ":" + base64Encode(digest);

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message