[
https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107813#comment-14107813
]
Patrick Hunt commented on ZOOKEEPER-2014:
-----------------------------------------
Yes, this is a concern for me as well.
1) mixing the client api and the admin api is not great. It would be better to
have them separate. We should fix this asap.
2) this (controlling access to reconfig) is a big issue from a security
perspective IMO.
A few comments on the comments so far:
bq. ensure that only the Admin can reconfigure a cluster
sounds sensible to me
bq. Perhaps restricting access to /zookeeper/config as well
in the past we've (ben in particular) tried to limit the amount of information
we provide to the client/session. For example we don't tell them which server
they are connected to. I see this in the same vein.
bq. one could ensure Admin only access via an ACL, but that would leave
everyone who doesn't use ACLs unprotected.
well, you're already unprotected in this situation so I don't really see it as
a sticking point.
bq. clients may need read access for example in order to run the new
client-side load balancing functionality
perhaps this argues for pushing this to the the server? encapsulate the
information on the service I mean and expose as a specific api.
bq. Actually perhaps we should open a JIRA to hide the client-side rebalancing
from clients (not for 3.5.0).
yes, that's what I was trying to get at in the previous item in this comment.
Although I think we'd need to fix this now - while we can still change the apis
w/o worrying about b/w compat (we can change new apis during the alpha period
w/o worrying about back compat)
bq. should this be similar to how updating the quota znode works ? or do you
think changing configuration is different ?
if quotas are "admin" functions we probably need to fix those as well - lock
them down to just admin level authz I mean.
> Only admin should be allowed to reconfig a cluster
> --------------------------------------------------
>
> Key: ZOOKEEPER-2014
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.5.0
> Reporter: Raul Gutierrez Segales
> Assignee: Raul Gutierrez Segales
> Priority: Blocker
> Attachments: ZOOKEEPER-2014.patch
>
>
> ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We
> should, at the very least, ensure that only the Admin can reconfigure a
> cluster. Perhaps restricting access to /zookeeper/config as well, though this
> is debatable. Surely one could ensure Admin only access via an ACL, but that
> would leave everyone who doesn't use ACLs unprotected. We could also force a
> default ACL to make it a bit more consistent (maybe).
> Finally, making reconfig() only available to Admins means they have to run
> with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure
> if everyone does, or how would it work with other authentication providers).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
