This is an automated email from the ASF dual-hosted git repository. andor pushed a commit to branch branch-3.8 in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.8 by this push: new 43b97a72e ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be disabled in Fips mode (branch-3.8) 43b97a72e is described below commit 43b97a72ed502401b4b7f28bf6d4820b6c592bc4 Author: Andor Molnár <an...@apache.org> AuthorDate: Tue Nov 26 09:55:30 2024 -0600 ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be disabled in Fips mode (branch-3.8) Reviewers: kezhuw, symat Author: anmolnar Closes #2215 from anmolnar/ZOOKEEPER-4889_38 --- zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md | 12 ++++++++---- .../org/apache/zookeeper/client/ZooKeeperSaslClient.java | 2 +- .../src/main/java/org/apache/zookeeper/common/X509Util.java | 5 +++-- .../zookeeper/server/auth/X509AuthenticationProvider.java | 2 +- .../zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java | 1 + .../main/java/org/apache/zookeeper/util/SecurityUtils.java | 8 ++++++++ 6 files changed, 22 insertions(+), 8 deletions(-) diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md index 8ae003029..29276e5bc 100644 --- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md +++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md @@ -1810,10 +1810,14 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp * *fips-mode* : (Java system property: **zookeeper.fips-mode**) **New in 3.8.2:** - Enable FIPS compatibility mode in ZooKeeper. If enabled, the custom trust manager (`ZKTrustManager`) that is used for - hostname verification will be disabled in order to comply with FIPS requirements. As a consequence, hostname verification is not - available in the Quorum protocol, but still can be set in client-server communication. Default: **true** (3.9.0+), - **false** (3.8.x) + Enable FIPS compatibility mode in ZooKeeper. If enabled, the following things will be changed in order to comply + with FIPS requirements: + * Custom trust manager (`ZKTrustManager`) that is used for hostname verification will be disabled. As a consequence, + hostname verification is not available in the Quorum protocol, but still can be set in client-server communication. + * DIGEST-MD5 Sasl auth mechanism will be disabled in Quorum and ZooKeeper Sasl clients. Only GSSAPI (Kerberos) + can be used. + + Default: **true** (3.9.0+), **false** (3.8.x) <a name="Experimental+Options%2FFeatures"></a> diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java index cafa66610..87e26cdf7 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java @@ -247,7 +247,7 @@ public class ZooKeeperSaslClient { l.startThreadIfNeeded(); } } - return SecurityUtils.createSaslClient(loginRef.get().getSubject(), + return SecurityUtils.createSaslClient(clientConfig, loginRef.get().getSubject(), servicePrincipal, "zookeeper", "zk-sasl-md5", LOG, "Client"); } catch (LoginException e) { // We throw LoginExceptions... diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java index ce185e137..b53800cda 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java @@ -69,6 +69,7 @@ public abstract class X509Util implements Closeable, AutoCloseable { private static final String REJECT_CLIENT_RENEGOTIATION_PROPERTY = "jdk.tls.rejectClientInitiatedRenegotiation"; private static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode"; + private static final boolean FIPS_MODE_DEFAULT = false; static { // Client-initiated renegotiation in TLS is unsafe and @@ -259,8 +260,8 @@ public abstract class X509Util implements Closeable, AutoCloseable { return FIPS_MODE_PROPERTY; } - public boolean getFipsMode(ZKConfig config) { - return config.getBoolean(FIPS_MODE_PROPERTY, false); + public static boolean getFipsMode(ZKConfig config) { + return config.getBoolean(FIPS_MODE_PROPERTY, FIPS_MODE_DEFAULT); } public boolean isServerHostnameVerificationEnabled(ZKConfig config) { diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java index 52eb7a7a9..3c29b5f08 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java @@ -98,7 +98,7 @@ public class X509AuthenticationProvider implements AuthenticationProvider { x509Util.getSslTruststorePasswdProperty(), x509Util.getSslTruststorePasswdPathProperty()); String trustStoreTypeProp = config.getProperty(x509Util.getSslTruststoreTypeProperty()); - boolean fipsMode = x509Util.getFipsMode(config); + boolean fipsMode = X509Util.getFipsMode(config); if (trustStoreLocation.isEmpty()) { LOG.warn("Truststore not specified for client connection"); diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java index 12cec788a..9ed986ac9 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java @@ -88,6 +88,7 @@ public class SaslQuorumAuthLearner implements QuorumAuthLearner { DataInputStream din = new DataInputStream(sock.getInputStream()); byte[] responseToken = new byte[0]; sc = SecurityUtils.createSaslClient( + new ZKConfig(), learnerLogin.getSubject(), principalConfig, QuorumAuth.QUORUM_SERVER_PROTOCOL_NAME, diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java index 6ac3fff2a..5c44f2116 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java @@ -28,6 +28,8 @@ import javax.security.sasl.SaslClient; import javax.security.sasl.SaslException; import javax.security.sasl.SaslServer; import org.apache.zookeeper.SaslClientCallbackHandler; +import org.apache.zookeeper.common.X509Util; +import org.apache.zookeeper.common.ZKConfig; import org.apache.zookeeper.server.auth.KerberosName; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; @@ -55,6 +57,7 @@ public final class SecurityUtils { * @throws SaslException */ public static SaslClient createSaslClient( + ZKConfig config, final Subject subject, final String servicePrincipal, final String protocol, @@ -67,6 +70,11 @@ public final class SecurityUtils { if (subject.getPrincipals().isEmpty()) { // no principals: must not be GSSAPI: use DIGEST-MD5 mechanism // instead. + // FIPS-mode: don't try DIGEST-MD5, just return error + if (X509Util.getFipsMode(config)) { + LOG.warn("{} will not use DIGEST-MD5 as SASL mechanism, because FIPS mode is enabled.", entity); + return null; + } LOG.info("{} will use DIGEST-MD5 as SASL mechanism.", entity); String[] mechs = {"DIGEST-MD5"}; String username = (String) (subject.getPublicCredentials().toArray()[0]);