zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: Secure Configuration of Zookeeper
Date Fri, 10 Jan 2020 21:53:26 GMT
Hi Michael,

Very nice topic indeed. Answers inline.


> On 2020. Jan 10., at 19:20, Michael Angel <angelm@mit.edu> wrote:
> 
> 
> 
> What resources are available to help harden a Zookeeper installation?


Not much unfortunately. I’m thinking about a new wiki page which would be ideal for this.
Currently you can find security related topics in the admin guide, but that’s probably far
from complete. What we have currently is:

- Quorum TLS - wire encryption between quorum members:
https://zookeeper.apache.org/doc/r3.5.6/zookeeperAdmin.html#Quorum+TLS

- Client-Server TLS - wire encryption between client and server:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

- Server-Server and Client-Server mutual authentication:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL

- ACL system
https://zookeeper.apache.org/doc/r3.5.6/zookeeperProgrammers.html#sc_ZooKeeperAccessControl


> What Zookeeper files should be watched with custom auditing rules?
> Reviewing the Zookeeper documentation we don't see many security configuration recommendations
beyond the ACL section.


What do you mean by ‘custom auditing rules’?


> Background: we are running a 3 node Zookeeper for most projects under RHEL 7.7 Systems
minimal installs with SELinux, FIPS, and STIG standards.
> Zookeeper we are using to support a 3 node Kafka installation.
> We are offloading Zookeeper logs to our Central Logging system.
> We are blocking the Zookeeper mangement tcp port 2181.


That’s usually the standard secure client port. You could also disable the non-secure client
port to close that door too.
Setting up an RBAC system or SELinux would also be nice, but we don’t provide rulesets for
them.

Andor



Mime
View raw message