[
https://issues.apache.org/jira/browse/ZOOKEEPER-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16026938#comment-16026938
]
Michael Han commented on ZOOKEEPER-2779:
----------------------------------------
I think adding the option to skip the default ACL is reasonable - the general
idea of providing an escape hatch is useful in any cases, in particular for
debugging.
bq. It also, perversely, makes security worse as the entire ZooKeeper instance
must be opened to "super" user while enabled reconfig
This is kind of true because of unrestricted access for superuser. ZK does not
have a formal threat model so it is not clear to me what kind of security risk
running a cluster in superuser mode would be - in any case this should be
discussed in another JIRA, because if superuser is not necessarily tied to the
dynamic reconfig use cases, if having a superuser exposes certain security risk
we should probably try address that, for example making this a debug only
feature.
Meanwhile I'd argue the approach proposed in this patch is not safer either.
The approach this patch is using is to do online ACL configuration, and that is
not safe comparing offline ACL configuration because there is an open window
during which an attacker can access the cluster and configure the ACLs on
various zNode including the reconfig node, even with authentication in place
(assume we have malicious Kerberos users for example - so we have to do
authorization in addition to authentication.). It is certainly possible to
improve the current solution such that we don't need superuser running for
reconfig plus also retain the offline configuration, but that's a better fit
for a separate JIRA.
So I am +1 with the idea on introducing a skip option, but I'd like to revise
some of the messages delivered in the documents. In particular does not
advertise it is a safe / secure approach for setting up reconfig, but instead
mention this as a convenient option for debugging / experimenting with reconfig
feature.
In general we are still safe because reconfig as a feature has to be opt-in (by
default it's disabled).
> Add option to not set ACL for reconfig node
> -------------------------------------------
>
> Key: ZOOKEEPER-2779
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2779
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.5.3
> Reporter: Jordan Zimmerman
> Assignee: Jordan Zimmerman
> Fix For: 3.5.4, 3.6.0
>
>
> ZOOKEEPER-2014 changed the behavior of the /zookeeper/config node by setting
> the ACL to {{ZooDefs.Ids.READ_ACL_UNSAFE}}. This change makes it very
> cumbersome to use the reconfig APIs. It also, perversely, makes security
> worse as the entire ZooKeeper instance must be opened to "super" user while
> enabled reconfig (per {{ReconfigExceptionTest.java}}). Provide a mechanism
> for savvy users to disable this ACL so that an application-specific custom
> ACL can be set.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
