[ https://issues.apache.org/jira/browse/ZOOKEEPER-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16026938#comment-16026938 ]
Michael Han commented on ZOOKEEPER-2779: ---------------------------------------- I think adding the option to skip the default ACL is reasonable - the general idea of providing an escape hatch is useful in any cases, in particular for debugging. bq. It also, perversely, makes security worse as the entire ZooKeeper instance must be opened to "super" user while enabled reconfig This is kind of true because of unrestricted access for superuser. ZK does not have a formal threat model so it is not clear to me what kind of security risk running a cluster in superuser mode would be - in any case this should be discussed in another JIRA, because if superuser is not necessarily tied to the dynamic reconfig use cases, if having a superuser exposes certain security risk we should probably try address that, for example making this a debug only feature. Meanwhile I'd argue the approach proposed in this patch is not safer either. The approach this patch is using is to do online ACL configuration, and that is not safe comparing offline ACL configuration because there is an open window during which an attacker can access the cluster and configure the ACLs on various zNode including the reconfig node, even with authentication in place (assume we have malicious Kerberos users for example - so we have to do authorization in addition to authentication.). It is certainly possible to improve the current solution such that we don't need superuser running for reconfig plus also retain the offline configuration, but that's a better fit for a separate JIRA. So I am +1 with the idea on introducing a skip option, but I'd like to revise some of the messages delivered in the documents. In particular does not advertise it is a safe / secure approach for setting up reconfig, but instead mention this as a convenient option for debugging / experimenting with reconfig feature. In general we are still safe because reconfig as a feature has to be opt-in (by default it's disabled). > Add option to not set ACL for reconfig node > ------------------------------------------- > > Key: ZOOKEEPER-2779 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2779 > Project: ZooKeeper > Issue Type: Improvement > Components: server > Affects Versions: 3.5.3 > Reporter: Jordan Zimmerman > Assignee: Jordan Zimmerman > Fix For: 3.5.4, 3.6.0 > > > ZOOKEEPER-2014 changed the behavior of the /zookeeper/config node by setting > the ACL to {{ZooDefs.Ids.READ_ACL_UNSAFE}}. This change makes it very > cumbersome to use the reconfig APIs. It also, perversely, makes security > worse as the entire ZooKeeper instance must be opened to "super" user while > enabled reconfig (per {{ReconfigExceptionTest.java}}). Provide a mechanism > for savvy users to disable this ACL so that an application-specific custom > ACL can be set. -- This message was sent by Atlassian JIRA (v6.3.15#6346)