From user-return-12847-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Tue Jun 16 11:36:43 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7E004180621 for ; Tue, 16 Jun 2020 13:36:43 +0200 (CEST) Received: (qmail 9919 invoked by uid 500); 16 Jun 2020 11:36:42 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 9905 invoked by uid 99); 16 Jun 2020 11:36:41 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Jun 2020 11:36:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 35358C020D for ; Tue, 16 Jun 2020 11:36:41 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.003 X-Spam-Level: ** X-Spam-Status: No, score=2.003 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id pncOK4m2zaNw for ; Tue, 16 Jun 2020 11:36:39 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.222.173; helo=mail-qk1-f173.google.com; envelope-from=aishwarya.ashish@gmail.com; receiver= Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id C7D54BB90A for ; Tue, 16 Jun 2020 11:36:38 +0000 (UTC) Received: by mail-qk1-f173.google.com with SMTP id c12so18682881qkk.13 for ; Tue, 16 Jun 2020 04:36:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gNHOONhaMD1wzt/tcX+YY2t8We3QSSgDdBU28myrUtA=; b=BXJCBWhSd/Z6Kxd7dUfxtvYN/zO6CqG86KGUkI3ebHG7kAONsqSpvRRAVGaMOH7uy6 D3ttTH9w0cPahkvb/8+/IXOb4Eio2NYaRjLG/T7FiF76rCwOXUUplJEaxf/HhZp2sZbh jL4tjwCdHjeRzHJir0f/EItxaaWafHJpcrjASwnJpmOkwFSZ80jswqqOcM1LRLu6qdOU FxEOPfa3UjZNs1Kj0gzbetz1QdBHFOLcqN8nP141LGNzxr2JTExFShzDGTb+jETtwqp3 CvL0gtJf+9OZQLukoa5QKz/f/2HKwEKIqYVjzcO8qU5eYVY1wAdcYhnQkQDt5ulLqfiE 2UTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gNHOONhaMD1wzt/tcX+YY2t8We3QSSgDdBU28myrUtA=; b=sJt6ZGnW4W/YEBC/sRK4Nr2AxryiENAGOkxMhQN2lN/bj/uqrH+0RuXr3z1rQaN8Ue reRyrqcwUSVEcGJ3G4+9hKa/2SkrJbfMMK6XvjxkGuhmV3CJkWvgP9KE2AhTX5RoU2ur V7gwmYZqVCsuILSEH92/mAPoE0GiSScr8+b4EsJ1yAYxrFdE3xIZezDVc5wj7mTSOVef 9fWX8zo/2y19Q8NbV3G59vllJhRG8R4omjZ/Hd4RAjD2UfjypQy/wH/Sl4rq0T7bKz6B PyP1WdvpGE0evfk6uAI0XsDQmUVQ69RWYCmf6VZtocA+J7h/f9zT4nIQVb7rOin9VlcV ETXA== X-Gm-Message-State: AOAM530izA3dhA3kC+reqzz9tAPNeUZ8UFHzYNhN5ysHAKc6abDRvX68 LJ3PHQZwGcFau7KXYOGEhC0j63OPCk5omujKnNZzapbA X-Google-Smtp-Source: ABdhPJy52lk8z1RlRR7Te8s7JD7Lj5rVLHoUk4j1/12XQH20YSkPW6sH16w76kzowj0vcjmbktKOVQVMXc6GcFwinWA= X-Received: by 2002:a37:670c:: with SMTP id b12mr18711932qkc.195.1592305810125; Tue, 16 Jun 2020 04:10:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: ashish soni Date: Tue, 16 Jun 2020 04:09:59 -0700 Message-ID: Subject: Re: Side affects of setting quorumListenOnAllIPs to true To: user@zookeeper.apache.org Cc: Rakesh Radhakrishnan Content-Type: multipart/alternative; boundary="0000000000002fb7c905a8319606" --0000000000002fb7c905a8319606 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Good suggestions Mate. We are in progress to implement both (SSL AND SASL). Will try to pan out some destructive cases to test it out :) On Tue, Jun 16, 2020, 4:07 AM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 wrote: > Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeepe= r > server-to-server communication is secure and noone who is not trusted can > connect and gain access to the quorum. > > However, if one is using QuorumSASL or QuorumSSL then it is still possibl= e > that a DOS attack can hit the ZooKeeper port causing problems. But that c= an > again be solved by firewalls I think. > > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 < > szalay.beko.mate@gmail.com> wrote: > > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the > zookeeper > > still connect and form a quorum with only the static or dynamic server > > connection strings or it can connect and form a quorum with any IP > address > > outside the server connection strings as it is allowed to bind with a > > 0.0.0.0 interface? > > > > This is a good question. I think there is a chance that one can "intrud= e" > > this way. Although I wouldn't give more tips on the mailing list. :) > > The best is to protect the ZooKeeper internal network using firewalls. > The > > election port and leader port should be reachable only by other ZooKeep= er > > server hosts. > > > > Regards, > > Mate > > > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni > > > wrote: > > > >> Hi, > >> > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeep= er > >> still connect and form a quorum with only the static or dynamic server > >> connection strings or it can connect and form a quorum with any IP > address > >> outside the server connection strings as it is allowed to bind with a > >> 0.0.0.0 interface? > >> > >> Ram, I think you don't need to add this if you have a static IP config > or > >> using 3.6+. If you feel it is a security issue for the organization, t= ry > >> ZK > >> 3.6.1 without setting that config. > >> > >> Regards, > >> Aishwarya Soni > >> > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 < > >> szalay.beko.mate@gmail.com> > >> wrote: > >> > >> > Hi Ram, > >> > > >> > > all i want to know is by enabling this property there are no side > >> effects > >> > or security risks. > >> > > >> > well, this is something for you (or for your security team) to > evaluate. > >> > E.g. if your hosts have multiple network interfaces with both > "private" > >> and > >> > "public" networks attached, then I can consider setting > >> > quorumListenOnAllIPs=3Dtrue to be a security risk. Of course you can > block > >> > the public access with proper firewall rules. > >> > > >> > But usually ZooKeeper is deployed in some secure / core > infrastructure, > >> > well protected from DOS / other attacks, in which > >> > case quorumListenOnAllIPs=3Dtrue is not a real security risk. > >> > > >> > This is something we (the ZooKeeper community) will not be able to > >> tell, as > >> > this depends on your network topology and your security protocols. W= e > >> can > >> > only help in explaining what this config is doing. > >> > > >> > Kind regards, > >> > Mate > >> > > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > >> > rammohanganap@gmail.com> wrote: > >> > > >> > > Mate, > >> > > > >> > > Thanks for explaining, all i want to know is by enabling this > property > >> > > there are no side effects or security risks. > >> > > > >> > > Ram > >> > > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bek=C5=91 M=C3=A1t=C3=A9 < > >> > > szalay.beko.mate@gmail.com> wrote: > >> > > > >> > > > Hi Ram, > >> > > > > >> > > > I am not sure I understand your question. The config > >> > quorumListenOnAllIPs > >> > > > is about to specify if the ports ZooKeeper uses for > Server-to-server > >> > > > communication should bind on the specified address/IP > >> > > > (quorumListenOnAllIPs=3Dfalse) or on 0.0.0.0 > >> (quorumListenOnAllIPs=3Dtrue). > >> > > > > >> > > > An example: You configure your server list using either static o= r > >> > dynamic > >> > > > configuration like: > >> > > > server.1=3Da.foo.com:2888:3888 > >> > > > server.2=3Db.foo.com:2888:3888 > >> > > > ... > >> > > > > >> > > > In this case when server.2 starts, it reads the config then > >> initiates > >> > > > connection (for ZK internal leader election protocol) to server.= 1 > by > >> > > > connecting to a.foo.com:3888 and sending it's own address ( > >> > > b.foo.com:3888) > >> > > > enabling server.1 to connect back. However, if server.2 is behin= d > a > >> > > proxy / > >> > > > using kubernetes / whatever, then it is possible that you can > reach > >> > > > server.2 as b.foo.com but the ZK process on server.2 can not > >> actually > >> > > bind > >> > > > on b.foo.com:3888. In this case the easiest solution is to bind > on > >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the confi= g > >> file > >> > > of > >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in > >> the > >> > > > initial message to server.1 and server.1 would try to connect ba= ck > >> to > >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case > it > >> > comes > >> > > > handy to set quorumListenOnAllIPs=3Dtrue which will cause ZooKee= per > to > >> > bind > >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial > >> > message, > >> > > > an > >> > > > address where other servers can reach it. > >> > > > > >> > > > I hope the explanation made it more (and not less) clear :p > >> > > > > >> > > > Kind regards, > >> > > > Mate > >> > > > > >> > > > > >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > >> > > > rammohanganap@gmail.com> wrote: > >> > > > > >> > > > > Hi, > >> > > > > > >> > > > > I am trying to see what are the pros and cons of setting > >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtl= s > or > >> > > local > >> > > > > proxy environments is not working by keeping default value > >> (false). > >> > So > >> > > > can > >> > > > > someone please explain? > >> > > > > > >> > > > > Any way zookeeper will form quorum with the servers list from > the > >> > > > zoo.conf > >> > > > > static file right? so by enabling this property can any server > or > >> IP > >> > > out > >> > > > of > >> > > > > the zoo.conf can join the quorum? > >> > > > > > >> > > > > Ram > >> > > > > > >> > > > > >> > > > >> > > >> > > > --0000000000002fb7c905a8319606--