Timothy Ward commented on ARIES-1613:
A lot of this depends on how you define the boundary of the private network.
The back end servers are obviously in the private network, and the front end
servers are obviously publicly accessible, but in order for the front end to
talk to the back end the front end must also be in the private network. This
would typically be called a DMZ. It is not possible to avoid using private
addresses in the DMZ (it's the only way for the front end to talk to the back
end) - so does this really constitute internal addresses being exposed outside
the private network?
I assume that the ZooKeeper server is inside the private network and not the
DMZ? If so then the front end systems must be configured with the internal
address of the ZooKeeper to contact it, and you already have an internal
address used in the DMZ (a pretty normal state of affairs). The firewall would
need to allow this access and I assume that there is some security set up for
the ZooKeeper. At this point the only way for private addresses from discovery
to escape is for someone to break into the DMZ and either:
* Hack the ZooKeeper
* Exfiltrate information from the running JVM
Both of these are relatively hard to do (assuming you have decent credential
management) and rely on the fact that you've already been hacked (they have
access to your DMZ).
If the ZooKeeper is inside the DMZ then it needs to be more highly secured, and
probably should not be used for your back-end discovery at all because it is at
risk of direct hacking. This would have a much greater risk of address leakage
and puts you into the "two ZooKeeper" model if you want to be safe.
> DiscoveryPlugin interface not exported
> Key: ARIES-1613
> URL: https://issues.apache.org/jira/browse/ARIES-1613
> Project: Aries
> Issue Type: Bug
> Components: Remote Service Admin
> Affects Versions: rsa-1.9.0
> Reporter: Panu Hämäläinen
> The package containing the interface
> org.apache.cxf.dosgi.discovery.zookeeper.publish.DiscoveryPlugin is not
> exported (MANIFEST.MF) from bundle cxf-dosgi-ri-discovery-distributed (1.7.0)
> which makes it impossible to implement 3rd party discovery plugins.
This message was sent by Atlassian JIRA