Re: Side affects of setting quorumListenOnAllIPs to true
Thank you all for your suggestions. On Tue, Jun 16, 2020, 5:56 AM Szalay-Bekő Máté wrote: > :) > > just some info from https://zookeeper.apache.org/security.html > > " If you have any concern or believe you have uncovered a vulnerability, we > suggest that you get in touch via the e-mail address > secur...@zookeeper.apache.org. In the message, try to provide a > description > of the issue and ideally a way of reproducing it. (...) Please report any > security problems to the project security address before disclosing it > publicly. " > > Kind regards, > Mate > > On Tue, Jun 16, 2020 at 1:36 PM ashish soni > wrote: > > > Good suggestions Mate. We are in progress to implement both (SSL AND > SASL). > > Will try to pan out some destructive cases to test it out :) > > > > On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté < > szalay.beko.m...@gmail.com > > > > > wrote: > > > > > Also the best is to use QuorumSASL or QuorumSSL to make sure the > > ZooKeeper > > > server-to-server communication is secure and noone who is not trusted > can > > > connect and gain access to the quorum. > > > > > > However, if one is using QuorumSASL or QuorumSSL then it is still > > possible > > > that a DOS attack can hit the ZooKeeper port causing problems. But that > > can > > > again be solved by firewalls I think. > > > > > > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté < > > > szalay.beko.m...@gmail.com> wrote: > > > > > > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the > > > zookeeper > > > > still connect and form a quorum with only the static or dynamic > server > > > > connection strings or it can connect and form a quorum with any IP > > > address > > > > outside the server connection strings as it is allowed to bind with a > > > > 0.0.0.0 interface? > > > > > > > > This is a good question. I think there is a chance that one can > > "intrude" > > > > this way. Although I wouldn't give more tips on the mailing list. :) > > > > The best is to protect the ZooKeeper internal network using > firewalls. > > > The > > > > election port and leader port should be reachable only by other > > ZooKeeper > > > > server hosts. > > > > > > > > Regards, > > > > Mate > > > > > > > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni < > > aishwarya.ash...@gmail.com > > > > > > > > wrote: > > > > > > > >> Hi, > > > >> > > > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the > > zookeeper > > > >> still connect and form a quorum with only the static or dynamic > server > > > >> connection strings or it can connect and form a quorum with any IP > > > address > > > >> outside the server connection strings as it is allowed to bind with > a > > > >> 0.0.0.0 interface? > > > >> > > > >> Ram, I think you don't need to add this if you have a static IP > config > > > or > > > >> using 3.6+. If you feel it is a security issue for the organization, > > try > > > >> ZK > > > >> 3.6.1 without setting that config. > > > >> > > > >> Regards, > > > >> Aishwarya Soni > > > >> > > > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté < > > > >> szalay.beko.m...@gmail.com> > > > >> wrote: > > > >> > > > >> > Hi Ram, > > > >> > > > > >> > > all i want to know is by enabling this property there are no > side > > > >> effects > > > >> > or security risks. > > > >> > > > > >> > well, this is something for you (or for your security team) to > > > evaluate. > > > >> > E.g. if your hosts have multiple network interfaces with both > > > "private" > > > >> and > > > >> > "public" networks attached, then I can consider setting > > > >> > quorumListenOnAllIPs=true to be a security risk. Of course you can > > > block > > > >> > the public access with proper firewall rules. > > > >> > > > > >> > But usually ZooKeeper is deployed in some secure / core > > > infrastructure, > > > >> > well protected from DOS / other attacks, in which > > > >> > case quorumListenOnAllIPs=true is not a real security risk. > > > >> > > > > >> > This is something we (the ZooKeeper community) will not be able to > > > >> tell, as > > > >> > this depends on your network topology and your security protocols. > > We > > > >> can > > > >> > only help in explaining what this config is doing. > > > >> > > > > >> > Kind regards, > > > >> > Mate > > > >> > > > > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > > > >> > rammohanga...@gmail.com> wrote: > > > >> > > > > >> > > Mate, > > > >> > > > > > >> > > Thanks for explaining, all i want to know is by enabling this > > > property > > > >> > > there are no side effects or security risks. > > > >> > > > > > >> > > Ram > > > >> > > > > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > > > >> > > szalay.beko.m...@gmail.com> wrote: > > > >> > > > > > >> > > > Hi Ram, > > > >> > > > > > > >> > > > I am not sure I understand your question. The config > > > >> > quorumListenOnAllIPs > > > >> > > > is about to specify if the ports ZooKeeper uses for > > > Server-to-server > > > >> > > >
Re: Side affects of setting quorumListenOnAllIPs to true
:) just some info from https://zookeeper.apache.org/security.html " If you have any concern or believe you have uncovered a vulnerability, we suggest that you get in touch via the e-mail address secur...@zookeeper.apache.org. In the message, try to provide a description of the issue and ideally a way of reproducing it. (...) Please report any security problems to the project security address before disclosing it publicly. " Kind regards, Mate On Tue, Jun 16, 2020 at 1:36 PM ashish soni wrote: > Good suggestions Mate. We are in progress to implement both (SSL AND SASL). > Will try to pan out some destructive cases to test it out :) > > On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté > > wrote: > > > Also the best is to use QuorumSASL or QuorumSSL to make sure the > ZooKeeper > > server-to-server communication is secure and noone who is not trusted can > > connect and gain access to the quorum. > > > > However, if one is using QuorumSASL or QuorumSSL then it is still > possible > > that a DOS attack can hit the ZooKeeper port causing problems. But that > can > > again be solved by firewalls I think. > > > > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté < > > szalay.beko.m...@gmail.com> wrote: > > > > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the > > zookeeper > > > still connect and form a quorum with only the static or dynamic server > > > connection strings or it can connect and form a quorum with any IP > > address > > > outside the server connection strings as it is allowed to bind with a > > > 0.0.0.0 interface? > > > > > > This is a good question. I think there is a chance that one can > "intrude" > > > this way. Although I wouldn't give more tips on the mailing list. :) > > > The best is to protect the ZooKeeper internal network using firewalls. > > The > > > election port and leader port should be reachable only by other > ZooKeeper > > > server hosts. > > > > > > Regards, > > > Mate > > > > > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni < > aishwarya.ash...@gmail.com > > > > > > wrote: > > > > > >> Hi, > > >> > > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the > zookeeper > > >> still connect and form a quorum with only the static or dynamic server > > >> connection strings or it can connect and form a quorum with any IP > > address > > >> outside the server connection strings as it is allowed to bind with a > > >> 0.0.0.0 interface? > > >> > > >> Ram, I think you don't need to add this if you have a static IP config > > or > > >> using 3.6+. If you feel it is a security issue for the organization, > try > > >> ZK > > >> 3.6.1 without setting that config. > > >> > > >> Regards, > > >> Aishwarya Soni > > >> > > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté < > > >> szalay.beko.m...@gmail.com> > > >> wrote: > > >> > > >> > Hi Ram, > > >> > > > >> > > all i want to know is by enabling this property there are no side > > >> effects > > >> > or security risks. > > >> > > > >> > well, this is something for you (or for your security team) to > > evaluate. > > >> > E.g. if your hosts have multiple network interfaces with both > > "private" > > >> and > > >> > "public" networks attached, then I can consider setting > > >> > quorumListenOnAllIPs=true to be a security risk. Of course you can > > block > > >> > the public access with proper firewall rules. > > >> > > > >> > But usually ZooKeeper is deployed in some secure / core > > infrastructure, > > >> > well protected from DOS / other attacks, in which > > >> > case quorumListenOnAllIPs=true is not a real security risk. > > >> > > > >> > This is something we (the ZooKeeper community) will not be able to > > >> tell, as > > >> > this depends on your network topology and your security protocols. > We > > >> can > > >> > only help in explaining what this config is doing. > > >> > > > >> > Kind regards, > > >> > Mate > > >> > > > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > > >> > rammohanga...@gmail.com> wrote: > > >> > > > >> > > Mate, > > >> > > > > >> > > Thanks for explaining, all i want to know is by enabling this > > property > > >> > > there are no side effects or security risks. > > >> > > > > >> > > Ram > > >> > > > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > > >> > > szalay.beko.m...@gmail.com> wrote: > > >> > > > > >> > > > Hi Ram, > > >> > > > > > >> > > > I am not sure I understand your question. The config > > >> > quorumListenOnAllIPs > > >> > > > is about to specify if the ports ZooKeeper uses for > > Server-to-server > > >> > > > communication should bind on the specified address/IP > > >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 > > >> (quorumListenOnAllIPs=true). > > >> > > > > > >> > > > An example: You configure your server list using either static > or > > >> > dynamic > > >> > > > configuration like: > > >> > > > server.1=a.foo.com:2888:3888 > > >> > > > server.2=b.foo.com:2888:3888 > > >> > > > ... > > >> > > > > > >> > > > In this
Re: Side affects of setting quorumListenOnAllIPs to true
Good suggestions Mate. We are in progress to implement both (SSL AND SASL). Will try to pan out some destructive cases to test it out :) On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté wrote: > Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper > server-to-server communication is secure and noone who is not trusted can > connect and gain access to the quorum. > > However, if one is using QuorumSASL or QuorumSSL then it is still possible > that a DOS attack can hit the ZooKeeper port causing problems. But that can > again be solved by firewalls I think. > > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté < > szalay.beko.m...@gmail.com> wrote: > > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the > zookeeper > > still connect and form a quorum with only the static or dynamic server > > connection strings or it can connect and form a quorum with any IP > address > > outside the server connection strings as it is allowed to bind with a > > 0.0.0.0 interface? > > > > This is a good question. I think there is a chance that one can "intrude" > > this way. Although I wouldn't give more tips on the mailing list. :) > > The best is to protect the ZooKeeper internal network using firewalls. > The > > election port and leader port should be reachable only by other ZooKeeper > > server hosts. > > > > Regards, > > Mate > > > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni > > > wrote: > > > >> Hi, > >> > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper > >> still connect and form a quorum with only the static or dynamic server > >> connection strings or it can connect and form a quorum with any IP > address > >> outside the server connection strings as it is allowed to bind with a > >> 0.0.0.0 interface? > >> > >> Ram, I think you don't need to add this if you have a static IP config > or > >> using 3.6+. If you feel it is a security issue for the organization, try > >> ZK > >> 3.6.1 without setting that config. > >> > >> Regards, > >> Aishwarya Soni > >> > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté < > >> szalay.beko.m...@gmail.com> > >> wrote: > >> > >> > Hi Ram, > >> > > >> > > all i want to know is by enabling this property there are no side > >> effects > >> > or security risks. > >> > > >> > well, this is something for you (or for your security team) to > evaluate. > >> > E.g. if your hosts have multiple network interfaces with both > "private" > >> and > >> > "public" networks attached, then I can consider setting > >> > quorumListenOnAllIPs=true to be a security risk. Of course you can > block > >> > the public access with proper firewall rules. > >> > > >> > But usually ZooKeeper is deployed in some secure / core > infrastructure, > >> > well protected from DOS / other attacks, in which > >> > case quorumListenOnAllIPs=true is not a real security risk. > >> > > >> > This is something we (the ZooKeeper community) will not be able to > >> tell, as > >> > this depends on your network topology and your security protocols. We > >> can > >> > only help in explaining what this config is doing. > >> > > >> > Kind regards, > >> > Mate > >> > > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > >> > rammohanga...@gmail.com> wrote: > >> > > >> > > Mate, > >> > > > >> > > Thanks for explaining, all i want to know is by enabling this > property > >> > > there are no side effects or security risks. > >> > > > >> > > Ram > >> > > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > >> > > szalay.beko.m...@gmail.com> wrote: > >> > > > >> > > > Hi Ram, > >> > > > > >> > > > I am not sure I understand your question. The config > >> > quorumListenOnAllIPs > >> > > > is about to specify if the ports ZooKeeper uses for > Server-to-server > >> > > > communication should bind on the specified address/IP > >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 > >> (quorumListenOnAllIPs=true). > >> > > > > >> > > > An example: You configure your server list using either static or > >> > dynamic > >> > > > configuration like: > >> > > > server.1=a.foo.com:2888:3888 > >> > > > server.2=b.foo.com:2888:3888 > >> > > > ... > >> > > > > >> > > > In this case when server.2 starts, it reads the config then > >> initiates > >> > > > connection (for ZK internal leader election protocol) to server.1 > by > >> > > > connecting to a.foo.com:3888 and sending it's own address ( > >> > > b.foo.com:3888) > >> > > > enabling server.1 to connect back. However, if server.2 is behind > a > >> > > proxy / > >> > > > using kubernetes / whatever, then it is possible that you can > reach > >> > > > server.2 as b.foo.com but the ZK process on server.2 can not > >> actually > >> > > bind > >> > > > on b.foo.com:3888. In this case the easiest solution is to bind > on > >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config > >> file > >> > > of > >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in > >> the > >> > > >
Re: Side affects of setting quorumListenOnAllIPs to true
Also the best is to use QuorumSASL or QuorumSSL to make sure the ZooKeeper server-to-server communication is secure and noone who is not trusted can connect and gain access to the quorum. However, if one is using QuorumSASL or QuorumSSL then it is still possible that a DOS attack can hit the ZooKeeper port causing problems. But that can again be solved by firewalls I think. On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté < szalay.beko.m...@gmail.com> wrote: > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper > still connect and form a quorum with only the static or dynamic server > connection strings or it can connect and form a quorum with any IP address > outside the server connection strings as it is allowed to bind with a > 0.0.0.0 interface? > > This is a good question. I think there is a chance that one can "intrude" > this way. Although I wouldn't give more tips on the mailing list. :) > The best is to protect the ZooKeeper internal network using firewalls. The > election port and leader port should be reachable only by other ZooKeeper > server hosts. > > Regards, > Mate > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni > wrote: > >> Hi, >> >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper >> still connect and form a quorum with only the static or dynamic server >> connection strings or it can connect and form a quorum with any IP address >> outside the server connection strings as it is allowed to bind with a >> 0.0.0.0 interface? >> >> Ram, I think you don't need to add this if you have a static IP config or >> using 3.6+. If you feel it is a security issue for the organization, try >> ZK >> 3.6.1 without setting that config. >> >> Regards, >> Aishwarya Soni >> >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté < >> szalay.beko.m...@gmail.com> >> wrote: >> >> > Hi Ram, >> > >> > > all i want to know is by enabling this property there are no side >> effects >> > or security risks. >> > >> > well, this is something for you (or for your security team) to evaluate. >> > E.g. if your hosts have multiple network interfaces with both "private" >> and >> > "public" networks attached, then I can consider setting >> > quorumListenOnAllIPs=true to be a security risk. Of course you can block >> > the public access with proper firewall rules. >> > >> > But usually ZooKeeper is deployed in some secure / core infrastructure, >> > well protected from DOS / other attacks, in which >> > case quorumListenOnAllIPs=true is not a real security risk. >> > >> > This is something we (the ZooKeeper community) will not be able to >> tell, as >> > this depends on your network topology and your security protocols. We >> can >> > only help in explaining what this config is doing. >> > >> > Kind regards, >> > Mate >> > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < >> > rammohanga...@gmail.com> wrote: >> > >> > > Mate, >> > > >> > > Thanks for explaining, all i want to know is by enabling this property >> > > there are no side effects or security risks. >> > > >> > > Ram >> > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < >> > > szalay.beko.m...@gmail.com> wrote: >> > > >> > > > Hi Ram, >> > > > >> > > > I am not sure I understand your question. The config >> > quorumListenOnAllIPs >> > > > is about to specify if the ports ZooKeeper uses for Server-to-server >> > > > communication should bind on the specified address/IP >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 >> (quorumListenOnAllIPs=true). >> > > > >> > > > An example: You configure your server list using either static or >> > dynamic >> > > > configuration like: >> > > > server.1=a.foo.com:2888:3888 >> > > > server.2=b.foo.com:2888:3888 >> > > > ... >> > > > >> > > > In this case when server.2 starts, it reads the config then >> initiates >> > > > connection (for ZK internal leader election protocol) to server.1 by >> > > > connecting to a.foo.com:3888 and sending it's own address ( >> > > b.foo.com:3888) >> > > > enabling server.1 to connect back. However, if server.2 is behind a >> > > proxy / >> > > > using kubernetes / whatever, then it is possible that you can reach >> > > > server.2 as b.foo.com but the ZK process on server.2 can not >> actually >> > > bind >> > > > on b.foo.com:3888. In this case the easiest solution is to bind on >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config >> file >> > > of >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in >> the >> > > > initial message to server.1 and server.1 would try to connect back >> to >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it >> > comes >> > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to >> > bind >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial >> > message, >> > > > an >> > > > address where other servers can reach it. >> > > > >> > > > I hope the explanation made it more (and not less)
Re: Side affects of setting quorumListenOnAllIPs to true
> Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper still connect and form a quorum with only the static or dynamic server connection strings or it can connect and form a quorum with any IP address outside the server connection strings as it is allowed to bind with a 0.0.0.0 interface? This is a good question. I think there is a chance that one can "intrude" this way. Although I wouldn't give more tips on the mailing list. :) The best is to protect the ZooKeeper internal network using firewalls. The election port and leader port should be reachable only by other ZooKeeper server hosts. Regards, Mate On Tue, Jun 16, 2020 at 12:24 PM ashish soni wrote: > Hi, > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper > still connect and form a quorum with only the static or dynamic server > connection strings or it can connect and form a quorum with any IP address > outside the server connection strings as it is allowed to bind with a > 0.0.0.0 interface? > > Ram, I think you don't need to add this if you have a static IP config or > using 3.6+. If you feel it is a security issue for the organization, try ZK > 3.6.1 without setting that config. > > Regards, > Aishwarya Soni > > On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté < > szalay.beko.m...@gmail.com> > wrote: > > > Hi Ram, > > > > > all i want to know is by enabling this property there are no side > effects > > or security risks. > > > > well, this is something for you (or for your security team) to evaluate. > > E.g. if your hosts have multiple network interfaces with both "private" > and > > "public" networks attached, then I can consider setting > > quorumListenOnAllIPs=true to be a security risk. Of course you can block > > the public access with proper firewall rules. > > > > But usually ZooKeeper is deployed in some secure / core infrastructure, > > well protected from DOS / other attacks, in which > > case quorumListenOnAllIPs=true is not a real security risk. > > > > This is something we (the ZooKeeper community) will not be able to tell, > as > > this depends on your network topology and your security protocols. We can > > only help in explaining what this config is doing. > > > > Kind regards, > > Mate > > > > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > > rammohanga...@gmail.com> wrote: > > > > > Mate, > > > > > > Thanks for explaining, all i want to know is by enabling this property > > > there are no side effects or security risks. > > > > > > Ram > > > > > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > > > szalay.beko.m...@gmail.com> wrote: > > > > > > > Hi Ram, > > > > > > > > I am not sure I understand your question. The config > > quorumListenOnAllIPs > > > > is about to specify if the ports ZooKeeper uses for Server-to-server > > > > communication should bind on the specified address/IP > > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 > (quorumListenOnAllIPs=true). > > > > > > > > An example: You configure your server list using either static or > > dynamic > > > > configuration like: > > > > server.1=a.foo.com:2888:3888 > > > > server.2=b.foo.com:2888:3888 > > > > ... > > > > > > > > In this case when server.2 starts, it reads the config then initiates > > > > connection (for ZK internal leader election protocol) to server.1 by > > > > connecting to a.foo.com:3888 and sending it's own address ( > > > b.foo.com:3888) > > > > enabling server.1 to connect back. However, if server.2 is behind a > > > proxy / > > > > using kubernetes / whatever, then it is possible that you can reach > > > > server.2 as b.foo.com but the ZK process on server.2 can not > actually > > > bind > > > > on b.foo.com:3888. In this case the easiest solution is to bind on > > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config > file > > > of > > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the > > > > initial message to server.1 and server.1 would try to connect back to > > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it > > comes > > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to > > bind > > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial > > message, > > > > an > > > > address where other servers can reach it. > > > > > > > > I hope the explanation made it more (and not less) clear :p > > > > > > > > Kind regards, > > > > Mate > > > > > > > > > > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > > > > rammohanga...@gmail.com> wrote: > > > > > > > > > Hi, > > > > > > > > > > I am trying to see what are the pros and cons of setting > > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or > > > local > > > > > proxy environments is not working by keeping default value (false). > > So > > > > can > > > > > someone please explain? > > > > > > > > > > Any way zookeeper will form quorum with the servers list from the > > > > zoo.conf > > > > > static file
Re: Side affects of setting quorumListenOnAllIPs to true
Hi, Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper still connect and form a quorum with only the static or dynamic server connection strings or it can connect and form a quorum with any IP address outside the server connection strings as it is allowed to bind with a 0.0.0.0 interface? Ram, I think you don't need to add this if you have a static IP config or using 3.6+. If you feel it is a security issue for the organization, try ZK 3.6.1 without setting that config. Regards, Aishwarya Soni On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté wrote: > Hi Ram, > > > all i want to know is by enabling this property there are no side effects > or security risks. > > well, this is something for you (or for your security team) to evaluate. > E.g. if your hosts have multiple network interfaces with both "private" and > "public" networks attached, then I can consider setting > quorumListenOnAllIPs=true to be a security risk. Of course you can block > the public access with proper firewall rules. > > But usually ZooKeeper is deployed in some secure / core infrastructure, > well protected from DOS / other attacks, in which > case quorumListenOnAllIPs=true is not a real security risk. > > This is something we (the ZooKeeper community) will not be able to tell, as > this depends on your network topology and your security protocols. We can > only help in explaining what this config is doing. > > Kind regards, > Mate > > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > rammohanga...@gmail.com> wrote: > > > Mate, > > > > Thanks for explaining, all i want to know is by enabling this property > > there are no side effects or security risks. > > > > Ram > > > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > > szalay.beko.m...@gmail.com> wrote: > > > > > Hi Ram, > > > > > > I am not sure I understand your question. The config > quorumListenOnAllIPs > > > is about to specify if the ports ZooKeeper uses for Server-to-server > > > communication should bind on the specified address/IP > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true). > > > > > > An example: You configure your server list using either static or > dynamic > > > configuration like: > > > server.1=a.foo.com:2888:3888 > > > server.2=b.foo.com:2888:3888 > > > ... > > > > > > In this case when server.2 starts, it reads the config then initiates > > > connection (for ZK internal leader election protocol) to server.1 by > > > connecting to a.foo.com:3888 and sending it's own address ( > > b.foo.com:3888) > > > enabling server.1 to connect back. However, if server.2 is behind a > > proxy / > > > using kubernetes / whatever, then it is possible that you can reach > > > server.2 as b.foo.com but the ZK process on server.2 can not actually > > bind > > > on b.foo.com:3888. In this case the easiest solution is to bind on > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file > > of > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the > > > initial message to server.1 and server.1 would try to connect back to > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it > comes > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to > bind > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial > message, > > > an > > > address where other servers can reach it. > > > > > > I hope the explanation made it more (and not less) clear :p > > > > > > Kind regards, > > > Mate > > > > > > > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > > > rammohanga...@gmail.com> wrote: > > > > > > > Hi, > > > > > > > > I am trying to see what are the pros and cons of setting > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or > > local > > > > proxy environments is not working by keeping default value (false). > So > > > can > > > > someone please explain? > > > > > > > > Any way zookeeper will form quorum with the servers list from the > > > zoo.conf > > > > static file right? so by enabling this property can any server or IP > > out > > > of > > > > the zoo.conf can join the quorum? > > > > > > > > Ram > > > > > > > > > >
Re: Side affects of setting quorumListenOnAllIPs to true
Hi Ram, > all i want to know is by enabling this property there are no side effects or security risks. well, this is something for you (or for your security team) to evaluate. E.g. if your hosts have multiple network interfaces with both "private" and "public" networks attached, then I can consider setting quorumListenOnAllIPs=true to be a security risk. Of course you can block the public access with proper firewall rules. But usually ZooKeeper is deployed in some secure / core infrastructure, well protected from DOS / other attacks, in which case quorumListenOnAllIPs=true is not a real security risk. This is something we (the ZooKeeper community) will not be able to tell, as this depends on your network topology and your security protocols. We can only help in explaining what this config is doing. Kind regards, Mate On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < rammohanga...@gmail.com> wrote: > Mate, > > Thanks for explaining, all i want to know is by enabling this property > there are no side effects or security risks. > > Ram > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > szalay.beko.m...@gmail.com> wrote: > > > Hi Ram, > > > > I am not sure I understand your question. The config quorumListenOnAllIPs > > is about to specify if the ports ZooKeeper uses for Server-to-server > > communication should bind on the specified address/IP > > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true). > > > > An example: You configure your server list using either static or dynamic > > configuration like: > > server.1=a.foo.com:2888:3888 > > server.2=b.foo.com:2888:3888 > > ... > > > > In this case when server.2 starts, it reads the config then initiates > > connection (for ZK internal leader election protocol) to server.1 by > > connecting to a.foo.com:3888 and sending it's own address ( > b.foo.com:3888) > > enabling server.1 to connect back. However, if server.2 is behind a > proxy / > > using kubernetes / whatever, then it is possible that you can reach > > server.2 as b.foo.com but the ZK process on server.2 can not actually > bind > > on b.foo.com:3888. In this case the easiest solution is to bind on > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file > of > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the > > initial message to server.1 and server.1 would try to connect back to > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it comes > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to bind > > on 0.0.0.0:3888 and still send a 'valid' address in the initial message, > > an > > address where other servers can reach it. > > > > I hope the explanation made it more (and not less) clear :p > > > > Kind regards, > > Mate > > > > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > > rammohanga...@gmail.com> wrote: > > > > > Hi, > > > > > > I am trying to see what are the pros and cons of setting > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or > local > > > proxy environments is not working by keeping default value (false). So > > can > > > someone please explain? > > > > > > Any way zookeeper will form quorum with the servers list from the > > zoo.conf > > > static file right? so by enabling this property can any server or IP > out > > of > > > the zoo.conf can join the quorum? > > > > > > Ram > > > > > >
Re: Side affects of setting quorumListenOnAllIPs to true
Mate, Thanks for explaining, all i want to know is by enabling this property there are no side effects or security risks. Ram On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < szalay.beko.m...@gmail.com> wrote: > Hi Ram, > > I am not sure I understand your question. The config quorumListenOnAllIPs > is about to specify if the ports ZooKeeper uses for Server-to-server > communication should bind on the specified address/IP > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true). > > An example: You configure your server list using either static or dynamic > configuration like: > server.1=a.foo.com:2888:3888 > server.2=b.foo.com:2888:3888 > ... > > In this case when server.2 starts, it reads the config then initiates > connection (for ZK internal leader election protocol) to server.1 by > connecting to a.foo.com:3888 and sending it's own address (b.foo.com:3888) > enabling server.1 to connect back. However, if server.2 is behind a proxy / > using kubernetes / whatever, then it is possible that you can reach > server.2 as b.foo.com but the ZK process on server.2 can not actually bind > on b.foo.com:3888. In this case the easiest solution is to bind on > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file of > server 2, since in this case server.2 would send 0.0.0.0:3888 in the > initial message to server.1 and server.1 would try to connect back to > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it comes > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to bind > on 0.0.0.0:3888 and still send a 'valid' address in the initial message, > an > address where other servers can reach it. > > I hope the explanation made it more (and not less) clear :p > > Kind regards, > Mate > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > rammohanga...@gmail.com> wrote: > > > Hi, > > > > I am trying to see what are the pros and cons of setting > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or local > > proxy environments is not working by keeping default value (false). So > can > > someone please explain? > > > > Any way zookeeper will form quorum with the servers list from the > zoo.conf > > static file right? so by enabling this property can any server or IP out > of > > the zoo.conf can join the quorum? > > > > Ram > > >
Re: Side affects of setting quorumListenOnAllIPs to true
Hi Ram, I am not sure I understand your question. The config quorumListenOnAllIPs is about to specify if the ports ZooKeeper uses for Server-to-server communication should bind on the specified address/IP (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true). An example: You configure your server list using either static or dynamic configuration like: server.1=a.foo.com:2888:3888 server.2=b.foo.com:2888:3888 ... In this case when server.2 starts, it reads the config then initiates connection (for ZK internal leader election protocol) to server.1 by connecting to a.foo.com:3888 and sending it's own address (b.foo.com:3888) enabling server.1 to connect back. However, if server.2 is behind a proxy / using kubernetes / whatever, then it is possible that you can reach server.2 as b.foo.com but the ZK process on server.2 can not actually bind on b.foo.com:3888. In this case the easiest solution is to bind on 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file of server 2, since in this case server.2 would send 0.0.0.0:3888 in the initial message to server.1 and server.1 would try to connect back to server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it comes handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to bind on 0.0.0.0:3888 and still send a 'valid' address in the initial message, an address where other servers can reach it. I hope the explanation made it more (and not less) clear :p Kind regards, Mate On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < rammohanga...@gmail.com> wrote: > Hi, > > I am trying to see what are the pros and cons of setting > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or local > proxy environments is not working by keeping default value (false). So can > someone please explain? > > Any way zookeeper will form quorum with the servers list from the zoo.conf > static file right? so by enabling this property can any server or IP out of > the zoo.conf can join the quorum? > > Ram >
Side affects of setting quorumListenOnAllIPs to true
Hi, I am trying to see what are the pros and cons of setting quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or local proxy environments is not working by keeping default value (false). So can someone please explain? Any way zookeeper will form quorum with the servers list from the zoo.conf static file right? so by enabling this property can any server or IP out of the zoo.conf can join the quorum? Ram