[
https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215318#comment-16215318
]
Ramkumar edited comment on ZOOKEEPER-1736 at 10/23/17 3:48 PM:
---------------------------------------------------------------
I am also curious to know why this is not an issue /defect. I am trying to
protect zookeeper in kubernetes cluster from other users to access zookeeper. I
tried to set up SASL in zookeeper and set a user in /broker node in zookeeper
so that Kafka reject the connections to zookeeper if they dont specify the
right user. However I observer, Kafka still makes connection successfully if
they dont have "client" configuration set up. This means anonymous connection
is still allowed to connect and use the zookeeper. did I miss some thing to
learn why this is not a bug?
was (Author: [email protected]):
I am also curious to know why this is not an issue /defect. I am trying to
protect zookeeper in kubernetes cluster from other users to access zookeeper. I
tried to set up SASL set up in zookeeper and set a user in /broker node so that
Kafka user wont be able to connect to zookeeper if they dont specify the right
user. However if Kafka still makes connection successfully if they dont have
"client" configuration set up. This means anonymous connection is still allowed
to connect and use the zookeeper. did I miss some thing?
> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>
> Key: ZOOKEEPER-1736
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Environment: Development
> Reporter: AntonioS
>
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary
> username and password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_admin="admin";
> };
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="admin"
> password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export
> JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf
> -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I
> authenticate, otherwise not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper
> allows me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code, in particular the ZookeeperServer.java,
> this method:
> public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer)
> throws IOException {
> The section below:
> } else {
> if (h.getType() == OpCode.sasl) {
> Record rsp = processSasl(incomingBuffer,cnxn);
> ReplyHeader rh = new ReplyHeader(h.getXid(), 0,
> KeeperException.Code.OK.intValue());
> cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd
> arg..what is it?
> }
> else {
> Request si = new Request(cnxn, cnxn.getSessionId(),
> h.getXid(),
> h.getType(), incomingBuffer, cnxn.getAuthInfo());
> si.setOwner(ServerCnxn.me);
> submitRequest(si);
> }
> }
> The else flow appears to just forward any anonymous request to the handler,
> without attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to
> Zookeeper?
> Thanks
> Antonio
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
