Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-1736

Zookeeper SASL authentication allows anonymus users to log in

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Not A Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: server
    • Labels:
      None
    • Environment:

      Development

      Description

      Hello.
      I have configured Zookeeper to provide SASL authentication, using ordinary username and password stored in the JAAS.conf as a DigestLoginModule
      I have created a simple jaas.conf file:

      Server {
      org.apache.zookeeper.server.auth.DigestLoginModule required
      user_admin="admin";
      };
      Client {
      org.apache.zookeeper.server.auth.DigestLoginModule required
      username="admin"
      password="admin";
      };

      I have the zoo.cfg correctly configured for security, adding the following:
      requireClientAuthScheme=sasl
      authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
      jaasLoginRenew=3600000
      zookeeper.allowSaslFailedClients=false

      And I also have the java.env file:
      export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dzookeeper.allowSaslFailedClients=false"

      Everything looks good. If I put the right username and password I authenticate, otherwise not and I get an exception.
      The problem is when I don’t put any username and password at all, zookeeper allows me to go through.
      I tried different things but nothing stops anonymous users to log in.
      I was looking at the source code, in particular the ZookeeperServer.java, this method:

      public void processPacket(ServerCnxn cnxn, ByteBuffer incomingBuffer) throws IOException

      { The section below: }

      else {
      if (h.getType() == OpCode.sasl)

      { Record rsp = processSasl(incomingBuffer,cnxn); ReplyHeader rh = new ReplyHeader(h.getXid(), 0, KeeperException.Code.OK.intValue()); cnxn.sendResponse(rh,rsp, "response"); // not sure about 3rd arg..what is it? }

      else

      { Request si = new Request(cnxn, cnxn.getSessionId(), h.getXid(), h.getType(), incomingBuffer, cnxn.getAuthInfo()); si.setOwner(ServerCnxn.me); submitRequest(si); }

      }

      The else flow appears to just forward any anonymous request to the handler, without attempting any authentication.

      Is this a bug? Is there any way to stop anonymous users connecting to Zookeeper?
      Thanks

      Antonio

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bacco1977 AntonioS
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: