From user-return-12846-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Tue Jun 16 11:07:00 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7489C180621 for ; Tue, 16 Jun 2020 13:07:00 +0200 (CEST) Received: (qmail 36137 invoked by uid 500); 16 Jun 2020 11:06:59 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 36121 invoked by uid 99); 16 Jun 2020 11:06:58 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Jun 2020 11:06:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 22C09C002A for ; Tue, 16 Jun 2020 11:06:58 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.004 X-Spam-Level: ** X-Spam-Status: No, score=2.004 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 99Txm4iznJFf for ; Tue, 16 Jun 2020 11:06:55 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::62d; helo=mail-ej1-x62d.google.com; envelope-from=szalay.beko.mate@gmail.com; receiver= Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 5CFBE7E151 for ; Tue, 16 Jun 2020 11:06:55 +0000 (UTC) Received: by mail-ej1-x62d.google.com with SMTP id p20so20988283ejd.13 for ; Tue, 16 Jun 2020 04:06:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s/Y3H+uVfbqrNHj/jFjaY10k8esEPyuY+odWyRgEqiA=; b=FaR99q6acKvJb3x4MuYDrBtMh9NJDw/VOAjBF7QPruFH7nxlI74fkoI/LmL+bBCsTp tGFIcrK4yHGlwzVpdsI6osi6Ra3xqYWtyvf/wQW23sj6Td/BUMM5uVTI+BpuIi6SUKtM VECgXxqSyMayZNVmALf0nPwslR/aH1AdG6vIbwW6lZwTGXdClTu8AshXJvx4jj2q6dfl 4ofo1T7W0qaR8EqSPBOWdvgDmFNLdPKBYJfDhFQNBsyyv19Eg+R81PfYVBZruGbRxOjV Eim3Sd4Ai7CTgQ45Q1izhhysKzE3cX3EU+O672soqytN4il2Hpzt5Fz5nA5X6S3Qs11o K3rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s/Y3H+uVfbqrNHj/jFjaY10k8esEPyuY+odWyRgEqiA=; b=bjTrSFit8f9uSEwhONomNHpm5bKIdprpgJPMv25GrNmK6GzfXQkeVCj2OisW/UXv8Q y9Rx34ONxBN2pdCozxsLH/WxQYa/NF6LJiy792Lzem/UGtOzv/7sAQOWyv2eNIDlc+Ha vzxYGZBEdog3PRIYaz+QcZJxlV8IxJmx5PQxXrM8Wh+QASqcvMDCTApqQOjq9d0Vy3C8 0pVV8vlI6/KE4aXxKMJXB6We+QSKexF9ZEMo6DPOU0a6QoYKWcCG+LkRnV1SJPXl0Euc +YgfEKKumYrM8DEOV64uogaSJ7tC6nPMish6wa8L2d0cUOIPtHgXtNXDDnCNO3y7Aywh j3Pw== X-Gm-Message-State: AOAM53108NLQR6d1ERPiqdXNus5r6x3Jm68ruR/2v5qtu/4YL8fkOVuA kKwPWh09/jwl+xal8LGVj7uGVfwwqodX7eltPcmqxrqahw== X-Google-Smtp-Source: ABdhPJzgstIFsdSPigeYIt/pNaimaIIUp6D50RyWdMq+0970BnQyjgrBTi7WDukqCziegf4SltzTGAQgQikIuh/4W4g= X-Received: by 2002:a17:906:899:: with SMTP id n25mr2074726eje.298.1592305614103; Tue, 16 Jun 2020 04:06:54 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?B?U3phbGF5LUJla8WRIE3DoXTDqQ==?= Date: Tue, 16 Jun 2020 13:06:43 +0200 Message-ID: Subject: Re: Side affects of setting quorumListenOnAllIPs to true To: UserZooKeeper Cc: Rakesh Radhakrishnan Content-Type: multipart/alternative; boundary="00000000000080a7b405a8318a99" --00000000000080a7b405a8318a99 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper server-to-server communication is secure and noone who is not trusted can connect and gain access to the quorum. However, if one is using QuorumSASL or QuorumSSL then it is still possible that a DOS attack can hit the ZooKeeper port causing problems. But that can again be solved by firewalls I think. On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 < szalay.beko.mate@gmail.com> wrote: > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeepe= r > still connect and form a quorum with only the static or dynamic server > connection strings or it can connect and form a quorum with any IP addres= s > outside the server connection strings as it is allowed to bind with a > 0.0.0.0 interface? > > This is a good question. I think there is a chance that one can "intrude" > this way. Although I wouldn't give more tips on the mailing list. :) > The best is to protect the ZooKeeper internal network using firewalls. Th= e > election port and leader port should be reachable only by other ZooKeeper > server hosts. > > Regards, > Mate > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni > wrote: > >> Hi, >> >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper >> still connect and form a quorum with only the static or dynamic server >> connection strings or it can connect and form a quorum with any IP addre= ss >> outside the server connection strings as it is allowed to bind with a >> 0.0.0.0 interface? >> >> Ram, I think you don't need to add this if you have a static IP config o= r >> using 3.6+. If you feel it is a security issue for the organization, try >> ZK >> 3.6.1 without setting that config. >> >> Regards, >> Aishwarya Soni >> >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 < >> szalay.beko.mate@gmail.com> >> wrote: >> >> > Hi Ram, >> > >> > > all i want to know is by enabling this property there are no side >> effects >> > or security risks. >> > >> > well, this is something for you (or for your security team) to evaluat= e. >> > E.g. if your hosts have multiple network interfaces with both "private= " >> and >> > "public" networks attached, then I can consider setting >> > quorumListenOnAllIPs=3Dtrue to be a security risk. Of course you can b= lock >> > the public access with proper firewall rules. >> > >> > But usually ZooKeeper is deployed in some secure / core infrastructure= , >> > well protected from DOS / other attacks, in which >> > case quorumListenOnAllIPs=3Dtrue is not a real security risk. >> > >> > This is something we (the ZooKeeper community) will not be able to >> tell, as >> > this depends on your network topology and your security protocols. We >> can >> > only help in explaining what this config is doing. >> > >> > Kind regards, >> > Mate >> > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < >> > rammohanganap@gmail.com> wrote: >> > >> > > Mate, >> > > >> > > Thanks for explaining, all i want to know is by enabling this proper= ty >> > > there are no side effects or security risks. >> > > >> > > Ram >> > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 < >> > > szalay.beko.mate@gmail.com> wrote: >> > > >> > > > Hi Ram, >> > > > >> > > > I am not sure I understand your question. The config >> > quorumListenOnAllIPs >> > > > is about to specify if the ports ZooKeeper uses for Server-to-serv= er >> > > > communication should bind on the specified address/IP >> > > > (quorumListenOnAllIPs=3Dfalse) or on 0.0.0.0 >> (quorumListenOnAllIPs=3Dtrue). >> > > > >> > > > An example: You configure your server list using either static or >> > dynamic >> > > > configuration like: >> > > > server.1=3Da.foo.com:2888:3888 >> > > > server.2=3Db.foo.com:2888:3888 >> > > > ... >> > > > >> > > > In this case when server.2 starts, it reads the config then >> initiates >> > > > connection (for ZK internal leader election protocol) to server.1 = by >> > > > connecting to a.foo.com:3888 and sending it's own address ( >> > > b.foo.com:3888) >> > > > enabling server.1 to connect back. However, if server.2 is behind = a >> > > proxy / >> > > > using kubernetes / whatever, then it is possible that you can reac= h >> > > > server.2 as b.foo.com but the ZK process on server.2 can not >> actually >> > > bind >> > > > on b.foo.com:3888. In this case the easiest solution is to bind on >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config >> file >> > > of >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in >> the >> > > > initial message to server.1 and server.1 would try to connect back >> to >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it >> > comes >> > > > handy to set quorumListenOnAllIPs=3Dtrue which will cause ZooKeepe= r to >> > bind >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial >> > message, >> > > > an >> > > > address where other servers can reach it. >> > > > >> > > > I hope the explanation made it more (and not less) clear :p >> > > > >> > > > Kind regards, >> > > > Mate >> > > > >> > > > >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < >> > > > rammohanganap@gmail.com> wrote: >> > > > >> > > > > Hi, >> > > > > >> > > > > I am trying to see what are the pros and cons of setting >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls = or >> > > local >> > > > > proxy environments is not working by keeping default value >> (false). >> > So >> > > > can >> > > > > someone please explain? >> > > > > >> > > > > Any way zookeeper will form quorum with the servers list from th= e >> > > > zoo.conf >> > > > > static file right? so by enabling this property can any server o= r >> IP >> > > out >> > > > of >> > > > > the zoo.conf can join the quorum? >> > > > > >> > > > > Ram >> > > > > >> > > > >> > > >> > >> > --00000000000080a7b405a8318a99--