zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashish soni <aishwarya.ash...@gmail.com>
Subject Re: Side affects of setting quorumListenOnAllIPs to true
Date Tue, 16 Jun 2020 11:09:59 GMT
Good suggestions Mate. We are in progress to implement both (SSL AND SASL).
Will try to pan out some destructive cases to test it out :)

On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté <szalay.beko.mate@gmail.com>
wrote:

> Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper
> server-to-server communication is secure and noone who is not trusted can
> connect and gain access to the quorum.
>
> However, if one is using QuorumSASL or QuorumSSL then it is still possible
> that a DOS attack can hit the ZooKeeper port causing problems. But that can
> again be solved by firewalls I think.
>
> On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté <
> szalay.beko.mate@gmail.com> wrote:
>
> > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the
> zookeeper
> > still connect and form a quorum with only the static or dynamic server
> > connection strings or it can connect and form a quorum with any IP
> address
> > outside the server connection strings as it is allowed to bind with a
> > 0.0.0.0 interface?
> >
> > This is a good question. I think there is a chance that one can "intrude"
> > this way. Although I wouldn't give more tips on the mailing list. :)
> > The best is to protect the ZooKeeper internal network using firewalls.
> The
> > election port and leader port should be reachable only by other ZooKeeper
> > server hosts.
> >
> > Regards,
> > Mate
> >
> > On Tue, Jun 16, 2020 at 12:24 PM ashish soni <aishwarya.ashish@gmail.com
> >
> > wrote:
> >
> >> Hi,
> >>
> >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
> >> still connect and form a quorum with only the static or dynamic server
> >> connection strings or it can connect and form a quorum with any IP
> address
> >> outside the server connection strings as it is allowed to bind with a
> >> 0.0.0.0 interface?
> >>
> >> Ram, I think you don't need to add this if you have a static IP config
> or
> >> using 3.6+. If you feel it is a security issue for the organization, try
> >> ZK
> >> 3.6.1 without setting that config.
> >>
> >> Regards,
> >> Aishwarya Soni
> >>
> >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <
> >> szalay.beko.mate@gmail.com>
> >> wrote:
> >>
> >> > Hi Ram,
> >> >
> >> > > all i want to know is by enabling this property there are no side
> >> effects
> >> > or security risks.
> >> >
> >> > well, this is something for you (or for your security team) to
> evaluate.
> >> > E.g. if your hosts have multiple network interfaces with both
> "private"
> >> and
> >> > "public" networks attached, then I can consider setting
> >> > quorumListenOnAllIPs=true to be a security risk. Of course you can
> block
> >> > the public access with proper firewall rules.
> >> >
> >> > But usually ZooKeeper is deployed in some secure / core
> infrastructure,
> >> > well protected from DOS / other attacks, in which
> >> > case quorumListenOnAllIPs=true is not a real security risk.
> >> >
> >> > This is something we (the ZooKeeper community) will not be able to
> >> tell, as
> >> > this depends on your network topology and your security protocols. We
> >> can
> >> > only help in explaining what this config is doing.
> >> >
> >> > Kind regards,
> >> > Mate
> >> >
> >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> >> > rammohanganap@gmail.com> wrote:
> >> >
> >> > > Mate,
> >> > >
> >> > > Thanks for explaining, all i want to know is by enabling this
> property
> >> > > there are no side effects or security risks.
> >> > >
> >> > > Ram
> >> > >
> >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> >> > > szalay.beko.mate@gmail.com> wrote:
> >> > >
> >> > > > Hi Ram,
> >> > > >
> >> > > > I am not sure I understand your question. The config
> >> > quorumListenOnAllIPs
> >> > > > is about to specify if the ports ZooKeeper uses for
> Server-to-server
> >> > > > communication should bind on the specified address/IP
> >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0
> >> (quorumListenOnAllIPs=true).
> >> > > >
> >> > > > An example: You configure your server list using either static
or
> >> > dynamic
> >> > > > configuration like:
> >> > > > server.1=a.foo.com:2888:3888
> >> > > > server.2=b.foo.com:2888:3888
> >> > > > ...
> >> > > >
> >> > > > In this case when server.2 starts, it reads the config then
> >> initiates
> >> > > > connection (for ZK internal leader election protocol) to server.1
> by
> >> > > > connecting to a.foo.com:3888 and sending it's own address (
> >> > > b.foo.com:3888)
> >> > > > enabling server.1 to connect back. However, if server.2 is behind
> a
> >> > > proxy /
> >> > > > using kubernetes / whatever, then it is possible that you can
> reach
> >> > > > server.2 as b.foo.com but the ZK process on server.2 can not
> >> actually
> >> > > bind
> >> > > > on b.foo.com:3888. In this case the easiest solution is to bind
> on
> >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config
> >> file
> >> > > of
> >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888
in
> >> the
> >> > > > initial message to server.1 and server.1 would try to connect
back
> >> to
> >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case
> it
> >> > comes
> >> > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper
> to
> >> > bind
> >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
> >> > message,
> >> > > > an
> >> > > > address where other servers can reach it.
> >> > > >
> >> > > > I hope the explanation made it more (and not less) clear :p
> >> > > >
> >> > > > Kind regards,
> >> > > > Mate
> >> > > >
> >> > > >
> >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> >> > > > rammohanganap@gmail.com> wrote:
> >> > > >
> >> > > > > Hi,
> >> > > > >
> >> > > > > I am trying to see what are the pros and cons of setting
> >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster
in mtls
> or
> >> > > local
> >> > > > > proxy environments is not working by keeping default value
> >> (false).
> >> > So
> >> > > > can
> >> > > > > someone please explain?
> >> > > > >
> >> > > > > Any way zookeeper will form quorum with the servers list
from
> the
> >> > > > zoo.conf
> >> > > > > static file right? so by enabling this property can any
server
> or
> >> IP
> >> > > out
> >> > > > of
> >> > > > > the zoo.conf can join the quorum?
> >> > > > >
> >> > > > > Ram
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message