zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guilherme Ramos <guira...@gmail.com>
Subject ZOOKEEPER-1634: hardening security by teaching server to enforce client authentication.
Date Wed, 25 Nov 2020 22:12:14 GMT
Hi again!

I am not using ZK with Kafka yet. I use ZK to store lots of information and
they are getting more important and critical to our applications, so having
authentication working properly is becoming a requirement.

So, as Enrico Olivelli asked in the other email, here it is:

*docker-compose:*
zk:
    image: zookeeper
    restart: always
    container_name: zk
    networks:
      net:
        ipv4_address: 172.30.0.100
    ports:
      - 3181:2181
      - 2180:8080
    environment:
      - ZOO_AUTOPURGE_PURGEINTERVAL:12
      #- ZOO_CLIENT_USER:user_super
      #- ZOO_CLIENT_PASSWORD:secret
      #- ZOO_ENABLE_AUTH:yes
      - JVMFLAGS=-Djava.security.auth.login.config=/conf/zoo_jaas.conf
    volumes:
      - /var/data/services/zk/data:/data
      - /var/data/services/zk/datalog:/datalog
      - /var/data/services/zk/conf:/conf
      - /var/data/services/zk/logs:/logs

First, I tried to use those commented out environment variables(in red). No
success.
Then I tried to pass the zoo_jaas.conf(below) as a JVM arg. I can see in
the process running, the argument is being passed correctly, but zookeeper
is still allowing anonymous connections.


*/conf/zoo.cfg*
clientPort=2181
dataDir=/data
dataLogDir=/datalog
tickTime=2000
initLimit=5
syncLimit=2
autopurge.snapRetainCount=3
autopurge.purgeInterval=0
maxClientCnxns=60
standaloneEnabled=true
admin.enableServer=false
server.1=localhost:2888:3888;2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
*requireClientAuthScheme=sasl *

( I dont think *requireClientAuthScheme=sasl* is being considered)

*zoo_jaas.conf*
Client {
   org.apache.zookeeper.server.auth.DigestLoginModule required
   username="client"
   password="client_password";
};
Server {
   org.apache.zookeeper.server.auth.DigestLoginModule required
      user_kafka="kafka_password";
};


In the past, our company would only allow JBOSS deployments. So I was
embedding zookeeper as a web app, starting the QuorumPeerMain class
manually and that worked perfectly.
It was version 3.4.0, if I am not wrong.

This time I dont want to extend docker images, I would like to use your
original one, making use of proper configuration.

Please, please, please help me.

Thank you in advance,
Guiherme

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message