My understanding of how digest scheme based ACL works in ZooKeeper is as follows:
1. When creating a digest based ACL, one would add to the ACL "username:Base64(SHA1(username:password)):permissions". 2. When accessing a zNode, a client needs to send username:password in clear text. Here are a few questions: a) Is the above understanding correct? My testing says yes, but I still want to confirm with the community. b) The description of digest based ACL in ZooKeeper Programmer's Guide [1] seems to indicate both MD5 and SHA1 are used, which is a bit confusing and probably incorrect. Should this description be updated ? c) The document [1] and the code [2] are inconsistent in terms of how a digest is generated. The document (and comments in the code) say that a digest is in the form of base64(SHA1(password)), while the code generates it as base64(SHA1(username:password)). The code indeed splits the username:password, but it still uses the whole string to generate the digest. Is it intended to use SHA1(username:password) or a bug? d) A good side effect of SHA1(username:password) is that "username:" serves as a salt to the hash, resulting in different hashes for a same password used by different users. However, a salt is usually randomly generated and different from a username. Should we consider adding a random salt when hashing a password? e) Since ZooKeeper does not currently support SSL/TLS (unless I miss something), is there any concern to send username and password in clear text? Should an alternative with better security be considered? Thanks, Tao [1] http://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_ZooKeeperAccessControl "digest uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text. When used in the ACL the expression will be the username:base64 encoded SHA1 password digest." [2] generateDigest(String idPassword) in DigestAuthenticationProvider.java static public String generateDigest(String idPassword) throws NoSuchAlgorithmException { String parts[] = idPassword.split(":", 2); byte digest[] = MessageDigest.getInstance("SHA1").digest( idPassword.getBytes()); return parts[0] + ":" + base64Encode(digest); }
