[
https://issues.apache.org/jira/browse/ZOOKEEPER-2526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16429181#comment-16429181
]
Eric Yang commented on ZOOKEEPER-2526:
--------------------------------------
[~irfanhamid] This approach is most sensible to secure ZooKeeper and disable
anonymous access. It would be great if the patch can reuse
allowSaslFailedClients flag = allowAnonLogin to reduce the number of knobs that
could potentially confuse users.
> Add config flag to prohibit connections from clients that don't do Sasl auth
> ----------------------------------------------------------------------------
>
> Key: ZOOKEEPER-2526
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2526
> Project: ZooKeeper
> Issue Type: Improvement
> Components: kerberos, security, server
> Affects Versions: 3.4.6
> Reporter: Irfan Hamid
> Priority: Minor
> Labels: newbie, security
> Fix For: 3.4.6
>
> Original Estimate: 120h
> Remaining Estimate: 120h
>
> According to ZOOKEEPER-1736 the flag allowSaslFailedClient will allow clients
> whose Sasl auth has failed the same privileges as a client that does not
> attempt Sasl, i.e., anonymous login.
> It would be nice to have a second property "allowAnonLogin" that defaults to
> true and allows current behavior. But if it is set to false it disconnects
> any clients that do not attempt Sasl auth or do not complete it successfully.
> The motivation would be to protect a shared ZooKeeper ensemble in a
> datacenter and reduce the surface area of vulnerability by protecting the
> service from a resiliency/availability perspective by limiting interaction by
> anonymous clients. This would also protect against rogue clients that could
> otherwise deny service by filling up the znode storage in non-ACLed locations.
> I'm working off of 3.4.6 source code (that's the one we have deployed
> internally). This functionality could be implemented by adding a flag
> ServerCnxn#isAuthenticated that is set to true iff
> ZooKeeperServer#processSasl() succeeds and which is inspected at every
> incoming request and the session is closed if auth isn't done and opcode is
> other than Sasl or Auth:
> --- src/java/main/org/apache/zookeeper/server/ServerCnxn.java (revision
> 1757035)
> +++ src/java/main/org/apache/zookeeper/server/ServerCnxn.java (working copy)
> @@ -55,6 +55,8 @@
> */
> boolean isOldClient = true;
>
> + boolean isAuthenticated = false;
> +
> abstract int getSessionTimeout();
>
> abstract void close();
> --- src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java
> (revision 1757035)
> +++ src/java/main/org/apache/zookeeper/server/ZooKeeperServer.java
> (working copy)
> @@ -884,11 +892,26 @@
> BinaryInputArchive bia = BinaryInputArchive.getArchive(bais);
> RequestHeader h = new RequestHeader();
> h.deserialize(bia, "header");
> // Through the magic of byte buffers, txn will not be
> // pointing
> // to the start of the txn
> incomingBuffer = incomingBuffer.slice();
> - if (h.getType() == OpCode.auth) {
> + if (allowAnonLogin == false && cnxn.isAuthenticated == false) {
> + if (!(h.getType() == OpCode.auth ||
> + h.getType() == OpCode.ping ||
> + h.getType() == OpCode.sasl)) {
> + LOG.warn(String.format("Closing client connection %s. OpCode
> %d received before Sasl authentication was complete and allowAnonLogin=false",
> + cnxn.getRemoteSocketAddress().toString(),
> h.getType()));
> + ReplyHeader rh = new ReplyHeader(h.getXid(), 0,
> + KeeperException.Code.AUTHFAILED.intValue());
> + cnxn.sendResponse(rh, null, null);
> + cnxn.sendBuffer(ServerCnxnFactory.closeConn);
> + cnxn.disableRecv();
> + }
> + }
> @@ -963,6 +986,7 @@
> String authorizationID = saslServer.getAuthorizationID();
> LOG.info("adding SASL authorization for authorizationID:
> " + authorizationID);
> cnxn.addAuthInfo(new Id("sasl",authorizationID));
> + cnxn.isAuthenticated = true;
> }
> }
> catch (SaslException e) {
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
