[jira] [Commented] (ZOOKEEPER-3977) Vuln Reported - Apache Zookeeper Common/Default Nodes Accessible Without ACL

Mon, 19 Oct 2020 07:58:32 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17216790#comment-17216790
 ] 

Mate Szalay-Beko commented on ZOOKEEPER-3977:
---------------------------------------------

Hi,

In Jira we usually track features / bugs, but this is only a configuration / 
operation related question. I don't know if we have more detailed documentation 
on this. You can google the question, or ask this on the zookeeper user mailing 
list. ([https://zookeeper.apache.org/lists.html)])

The short answer is: There are many authentication providers in ZooKeeper. You 
can define static user/password pairs. But in secure installations people 
usually use SASL + Kerberos. If you have the authentication provider set, then 
you can create a zookeeper service user and set the ACL of the "/zookeeper" 
znode to be accessible only to that given user. (e.g. using ZooKeeper CLI: 
"setAcl /zookeeper sasl:zookeeper:rwcda" )

by-the-way: ZooKeeper 3.4.5 is an old version, not supported by the community 
anymore. Would you considering upgrade to the latest 3.5.x or 3.6.x version?
(from zookeeper 3.5 you can have wire encryption (TLS) and from 3.6 you can 
also enforce authentication, what is usually also important if you need a 
really secure installation)

> Vuln Reported - Apache Zookeeper Common/Default Nodes Accessible Without ACL
> ----------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3977
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3977
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: other
>    Affects Versions: 3.4.5
>         Environment: Reported on below operating systems - 
>  # CentOS
>  # Microsoft Windows 2012 R2
>  # RHEL 6.10
>  # RHEL 7.7
>  # RHEL 7.8
>            Reporter: NonOS
>            Priority: Major
>
> Vulnerability titled - Apache Zookeeper Common/Default Nodes Accessible 
> Without ACL has been reported on our servers, and recommended solution is to 
> enable ACL on all the nodes.
> We need assistance with steps as to how to enable ACL and how to perform 
> application testing after enabling ACL



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to