zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Damien Diederen <ddiede...@sinenomine.net>
Subject Re: ZOOKEEPER-1634: hardening security by teaching server to enforce client authentication.
Date Thu, 26 Nov 2020 08:21:03 GMT

Hi Guilherme,

> I am not using ZK with Kafka yet. I use ZK to store lots of information and
> they are getting more important and critical to our applications, so having
> authentication working properly is becoming a requirement.

Sure.

> Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in
> the process running, the argument is being passed correctly, but zookeeper
> is still allowing anonymous connections.

Configuring JAAS is one half of the puzzle.  The half you seem to be
missing is 'sessionRequireClientSASLAuth', as provided and documented in
versions 3.6+:

    https://zookeeper.apache.org/doc/r3.6.2/zookeeperAdmin.html

>> zookeeper.sessionRequireClientSASLAuth : (Java system property only:
>> zookeeper.sessionRequireClientSASLAuth) New in 3.6.0: When set to
>> true, ZooKeeper server will only accept connections and requests from
>> clients that have authenticated with server via SASL. […]

> ( I dont think *requireClientAuthScheme=sasl* is being considered)

Indeed.  I see lots of reference to 'requireClientAuthScheme' on the
Internet, but that is not a recognized property!

HTH, -D



--- Original message follows ---

Guilherme Ramos <guiramos@gmail.com> writes:
> Hi again!
>
> I am not using ZK with Kafka yet. I use ZK to store lots of information and
> they are getting more important and critical to our applications, so having
> authentication working properly is becoming a requirement.
>
> So, as Enrico Olivelli asked in the other email, here it is:
>
> *docker-compose:*
> zk:
>     image: zookeeper
>     restart: always
>     container_name: zk
>     networks:
>       net:
>         ipv4_address: 172.30.0.100
>     ports:
>       - 3181:2181
>       - 2180:8080
>     environment:
>       - ZOO_AUTOPURGE_PURGEINTERVAL:12
>       #- ZOO_CLIENT_USER:user_super
>       #- ZOO_CLIENT_PASSWORD:secret
>       #- ZOO_ENABLE_AUTH:yes
>       - JVMFLAGS=-Djava.security.auth.login.config=/conf/zoo_jaas.conf
>     volumes:
>       - /var/data/services/zk/data:/data
>       - /var/data/services/zk/datalog:/datalog
>       - /var/data/services/zk/conf:/conf
>       - /var/data/services/zk/logs:/logs
>
> First, I tried to use those commented out environment variables(in red). No
> success.
> Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in
> the process running, the argument is being passed correctly, but zookeeper
> is still allowing anonymous connections.
>
>
> */conf/zoo.cfg*
> clientPort=2181
> dataDir=/data
> dataLogDir=/datalog
> tickTime=2000
> initLimit=5
> syncLimit=2
> autopurge.snapRetainCount=3
> autopurge.purgeInterval=0
> maxClientCnxns=60
> standaloneEnabled=true
> admin.enableServer=false
> server.1=localhost:2888:3888;2181
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> *requireClientAuthScheme=sasl *
>
> ( I dont think *requireClientAuthScheme=sasl* is being considered)
>
> *zoo_jaas.conf*
> Client {
>    org.apache.zookeeper.server.auth.DigestLoginModule required
>    username="client"
>    password="client_password";
> };
> Server {
>    org.apache.zookeeper.server.auth.DigestLoginModule required
>       user_kafka="kafka_password";
> };
>
>
> In the past, our company would only allow JBOSS deployments. So I was
> embedding zookeeper as a web app, starting the QuorumPeerMain class
> manually and that worked perfectly.
> It was version 3.4.0, if I am not wrong.
>
> This time I dont want to extend docker images, I would like to use your
> original one, making use of proper configuration.
>
> Please, please, please help me.
>
> Thank you in advance,
> Guiherme

Mime
View raw message