ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-424

server side chroot enforcment - link to auth

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.5.0
    • Component/s: server
    • Labels:
      None

      Description

      Allow the server administrator to enforce a particular root on specific authenticated users.

      ZOOKEEPER-237 implements the client side of this - the client can set a chroot, however this doesn't allow
      someone like an administrator to enforce the root.

      We should add the ability to the server to verify that all accesses are to a particular root.

      We currently have ACLs which provide essentially this, however there are a few small issues where root enforcement
      would be useful from server operator perspective.

        Issue Links

          Activity

          Hide
          Andrei Savu added a comment -

          FYI the ZooKeeper rest server already supports this:

          Sample config for a chrooted channel:

          rest.port = 9998
          
          rest.endpoint.1 = /channel;localhost:2181,localhost:2182,localhost:2183/app-root
          rest.endpoint.1.http.auth = user:pass,user2:pass2
          rest.endpoint.1.zk.digest = appuser:pass
          

          You should also enable SSL because the browser sends the password as plain text

          rest.ssl = true
          rest.ssl.jks = keys/rest.jks
          rest.ssl.jks.pass = 123456
          
          Show
          Andrei Savu added a comment - FYI the ZooKeeper rest server already supports this: Sample config for a chrooted channel: rest .port = 9998 rest .endpoint.1 = /channel;localhost:2181,localhost:2182,localhost:2183/app-root rest .endpoint.1.http.auth = user:pass,user2:pass2 rest .endpoint.1.zk.digest = appuser:pass You should also enable SSL because the browser sends the password as plain text rest .ssl = true rest .ssl.jks = keys/ rest .jks rest .ssl.jks.pass = 123456

            People

            • Assignee:
              Unassigned
              Reporter:
              Patrick Hunt
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Development