[
https://issues.apache.org/jira/browse/ZOOKEEPER-1736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215318#comment-16215318
]
Ramkumar edited comment on ZOOKEEPER-1736 at 10/23/17 3:49 PM:
---------------------------------------------------------------
I am also curious to know why this is not an issue /defect. I am trying to
protect zookeeper in kubernetes cluster from other users to access zookeeper. I
tried to set up SASL in zookeeper and set a user in /broker node in zookeeper
so that Kafka reject the connections to zookeeper if they dont specify the
right user. However I observed, Kafka still makes connection successfully if
they dont have "client" configuration set up. This means anonymous connection
is still allowed to connect and use the zookeeper. did I miss some thing to
learn why this is not a bug?
was (Author: [email protected]):
I am also curious to know why this is not an issue /defect. I am trying to
protect zookeeper in kubernetes cluster from other users to access zookeeper. I
tried to set up SASL in zookeeper and set a user in /broker node in zookeeper
so that Kafka reject the connections to zookeeper if they dont specify the
right user. However I observer, Kafka still makes connection successfully if
they dont have "client" configuration set up. This means anonymous connection
is still allowed to connect and use the zookeeper. did I miss some thing to
learn why this is not a bug?
> Zookeeper SASL authentication allows anonymus users to log in
> -------------------------------------------------------------
>
> Key: ZOOKEEPER-1736
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1736
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Environment: Development
> Reporter: AntonioS
>
> Hello.
> I have configured Zookeeper to provide SASL authentication, using ordinary
> username and password stored in the JAAS.conf as a DigestLoginModule
> I have created a simple jaas.conf file:
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_admin="admin";
> };
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="admin"
> password="admin";
> };
> I have the zoo.cfg correctly configured for security, adding the following:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=3600000
> zookeeper.allowSaslFailedClients=false
> And I also have the java.env file:
> export
> JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf
> -Dzookeeper.allowSaslFailedClients=false"
> Everything looks good. If I put the right username and password I
> authenticate, otherwise not and I get an exception.
> The problem is when I don’t put any username and password at all, zookeeper
> allows me to go through.
> I tried different things but nothing stops anonymous users to log in.
> I was looking at the source code, in particular the ZookeeperServer.java,
> this method:
> public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer)
> throws IOException {
> The section below:
> } else {
> if (h.getType() == OpCode.sasl) {
> Record rsp = processSasl(incomingBuffer,cnxn);
> ReplyHeader rh = new ReplyHeader(h.getXid(), 0,
> KeeperException.Code.OK.intValue());
> cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd
> arg..what is it?
> }
> else {
> Request si = new Request(cnxn, cnxn.getSessionId(),
> h.getXid(),
> h.getType(), incomingBuffer, cnxn.getAuthInfo());
> si.setOwner(ServerCnxn.me);
> submitRequest(si);
> }
> }
> The else flow appears to just forward any anonymous request to the handler,
> without attempting any authentication.
> Is this a bug? Is there any way to stop anonymous users connecting to
> Zookeeper?
> Thanks
> Antonio
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
