[jira] [Commented] (ZOOKEEPER-2014) Only admin should be allowed to reconfig a cluster

Tue, 09 May 2017 06:44:27 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16002692#comment-16002692
 ] 

Jordan Zimmerman commented on ZOOKEEPER-2014:
---------------------------------------------

I'm terribly sorry I was so late to this issue. Now that it's released I see 
even more problems. I just sent this email to @dev

{panel}
reconfig() is limited to "super" user. Perversely, this reduces security as 
"super" user is utterly insecure. Requiring new databases to be post-applied 
via super user creates a security hole. For the time that the new ACLs for 
/zookeeper/config are to be changed the ZooKeeper instance will be in "super" 
user mode. Additionally, having to do all this is terribly cumbersome. Lastly, 
the docs only make passing mention of this. I think users will be very 
surprised by this - especially as the docs refer users to 
ReconfigExceptionTest.java which isn't part of the client distribution.
{panel}

> Only admin should be allowed to reconfig a cluster
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-2014
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.0
>            Reporter: Raul Gutierrez Segales
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.5.3, 3.6.0
>
>         Attachments: ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, 
> ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, 
> ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, 
> ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, 
> ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, 
> ZOOKEEPER-2014.patch
>
>
> ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We 
> should, at the very least, ensure that only the Admin can reconfigure a 
> cluster. Perhaps restricting access to /zookeeper/config as well, though this 
> is debatable. Surely one could ensure Admin only access via an ACL, but that 
> would leave everyone who doesn't use ACLs unprotected. We could also force a 
> default ACL to make it a bit more consistent (maybe).
> Finally, making reconfig() only available to Admins means they have to run 
> with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure 
> if everyone does, or how would it work with other authentication providers). 
> Review board https://reviews.apache.org/r/51546/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to