[
https://issues.apache.org/jira/browse/ZOOKEEPER-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872094#comment-15872094
]
Robert Joseph Evans commented on ZOOKEEPER-2699:
------------------------------------------------
I'm not sure this will fix the issue. IP address spoofing is rather simple to
do. You are not guaranteed to get a result back, but for 4 letter commands
doing DoS you really don't care all that much. In fact it might be better
because you don't have to worry about your node being bogged down with
responses from someone else.
If we restrict it to the loopback device or something like that, it is much
more likely to restrict bad users.
> Restrict 4lw commands based on client IP
> ----------------------------------------
>
> Key: ZOOKEEPER-2699
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2699
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Reporter: Mohammad Arshad
> Assignee: Mohammad Arshad
>
> Currently 4lw commands are executed without authentication and can be
> accessed from any IP which has access to ZooKeeper server. ZOOKEEPER-2693
> attempts to limit the 4lw commands which are enabled by default or enabled by
> configuration.
> In addition to ZOOKEEPER-2693 we should also restrict 4lw commands based on
> client IP as well. It is required for following scenario
> # User wants to enable all the 4lw commands
> # User wants to limit the access of the commands which are considered to be
> safe by default.
>
> *Implementation:*
> we can introduce new property 4lw.commands.host.whitelist
> # By default we allow all the hosts, but off course only on the 4lw exposed
> commands as per the ZOOKEEPER-2693
> # It can be configured to allow individual IPs(192.168.1.2,192.168.1.3 etc.)
> # It can also be configured to allow group of IPs like 192.168.1.*
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
