zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Szalay-Bekő Máté <szalay.beko.m...@gmail.com>
Subject Re: Side affects of setting quorumListenOnAllIPs to true
Date Tue, 16 Jun 2020 11:06:43 GMT
Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper
server-to-server communication is secure and noone who is not trusted can
connect and gain access to the quorum.

However, if one is using QuorumSASL or QuorumSSL then it is still possible
that a DOS attack can hit the ZooKeeper port causing problems. But that can
again be solved by firewalls I think.

On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté <
szalay.beko.mate@gmail.com> wrote:

> > Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
> still connect and form a quorum with only the static or dynamic server
> connection strings or it can connect and form a quorum with any IP address
> outside the server connection strings as it is allowed to bind with a
> 0.0.0.0 interface?
>
> This is a good question. I think there is a chance that one can "intrude"
> this way. Although I wouldn't give more tips on the mailing list. :)
> The best is to protect the ZooKeeper internal network using firewalls. The
> election port and leader port should be reachable only by other ZooKeeper
> server hosts.
>
> Regards,
> Mate
>
> On Tue, Jun 16, 2020 at 12:24 PM ashish soni <aishwarya.ashish@gmail.com>
> wrote:
>
>> Hi,
>>
>> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
>> still connect and form a quorum with only the static or dynamic server
>> connection strings or it can connect and form a quorum with any IP address
>> outside the server connection strings as it is allowed to bind with a
>> 0.0.0.0 interface?
>>
>> Ram, I think you don't need to add this if you have a static IP config or
>> using 3.6+. If you feel it is a security issue for the organization, try
>> ZK
>> 3.6.1 without setting that config.
>>
>> Regards,
>> Aishwarya Soni
>>
>> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
>> szalay.beko.mate@gmail.com>
>> wrote:
>>
>> > Hi Ram,
>> >
>> > > all i want to know is by enabling this property there are no side
>> effects
>> > or security risks.
>> >
>> > well, this is something for you (or for your security team) to evaluate.
>> > E.g. if your hosts have multiple network interfaces with both "private"
>> and
>> > "public" networks attached, then I can consider setting
>> > quorumListenOnAllIPs=true to be a security risk. Of course you can block
>> > the public access with proper firewall rules.
>> >
>> > But usually ZooKeeper is deployed in some secure / core infrastructure,
>> > well protected from DOS / other attacks, in which
>> > case quorumListenOnAllIPs=true is not a real security risk.
>> >
>> > This is something we (the ZooKeeper community) will not be able to
>> tell, as
>> > this depends on your network topology and your security protocols. We
>> can
>> > only help in explaining what this config is doing.
>> >
>> > Kind regards,
>> > Mate
>> >
>> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
>> > rammohanganap@gmail.com> wrote:
>> >
>> > > Mate,
>> > >
>> > > Thanks for explaining, all i want to know is by enabling this property
>> > > there are no side effects or security risks.
>> > >
>> > > Ram
>> > >
>> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
>> > > szalay.beko.mate@gmail.com> wrote:
>> > >
>> > > > Hi Ram,
>> > > >
>> > > > I am not sure I understand your question. The config
>> > quorumListenOnAllIPs
>> > > > is about to specify if the ports ZooKeeper uses for Server-to-server
>> > > > communication should bind on the specified address/IP
>> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
>> (quorumListenOnAllIPs=true).
>> > > >
>> > > > An example: You configure your server list using either static or
>> > dynamic
>> > > > configuration like:
>> > > > server.1=a.foo.com:2888:3888
>> > > > server.2=b.foo.com:2888:3888
>> > > > ...
>> > > >
>> > > > In this case when server.2 starts, it reads the config then
>> initiates
>> > > > connection (for ZK internal leader election protocol) to server.1
by
>> > > > connecting to a.foo.com:3888 and sending it's own address (
>> > > b.foo.com:3888)
>> > > > enabling server.1 to connect back. However, if server.2 is behind
a
>> > > proxy /
>> > > > using kubernetes / whatever, then it is possible that you can reach
>> > > > server.2 as b.foo.com but the ZK process on server.2 can not
>> actually
>> > > bind
>> > > > on b.foo.com:3888. In this case the easiest solution is to bind on
>> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config
>> file
>> > > of
>> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in
>> the
>> > > > initial message to server.1 and server.1 would try to connect back
>> to
>> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it
>> > comes
>> > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper
to
>> > bind
>> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
>> > message,
>> > > > an
>> > > > address where other servers can reach it.
>> > > >
>> > > > I hope the explanation made it more (and not less) clear :p
>> > > >
>> > > > Kind regards,
>> > > > Mate
>> > > >
>> > > >
>> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
>> > > > rammohanganap@gmail.com> wrote:
>> > > >
>> > > > > Hi,
>> > > > >
>> > > > > I am trying to see what are the pros and cons of setting
>> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls
or
>> > > local
>> > > > > proxy environments is not working by keeping default value
>> (false).
>> > So
>> > > > can
>> > > > > someone please explain?
>> > > > >
>> > > > > Any way zookeeper will form quorum with the servers list from
the
>> > > > zoo.conf
>> > > > > static file right? so by enabling this property can any server
or
>> IP
>> > > out
>> > > > of
>> > > > > the zoo.conf can join the quorum?
>> > > > >
>> > > > > Ram
>> > > > >
>> > > >
>> > >
>> >
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message