RE: Client-Server authentication with DIGEST-MD5

Wed, 11 Apr 2018 02:09:08 -0700 

Thank you very much Enrico,

So let's move at ACL level. If I create a new node as : 

Create /mynode content sasl:myuser:mydigest:crdwa

Indeed only the authenticated myuser is able to READ /mynode... BUT any other 
non authenticated user can DELETE the node. How can I prevent this ?  I Could 
not find explicit solution in the doc. 

Regards,

Rémi

-----Message d'origine-----
De : Enrico Olivelli [mailto:eolive...@gmail.com] 
Envoyé : Tuesday, April 10, 2018 15:51
À : UserZooKeeper <user@zookeeper.apache.org>
Objet : Re: Client-Server authentication with DIGEST-MD5

2018-04-10 15:22 GMT+02:00 Remi Serrano <rserr...@pros.com>:

> Hello
>
> I'm trying to secure my ZK cluster. To do so I'm trying to leverage both :
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> Server-Server+mutual+authentication
> and
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> Client-Server+mutual+authentication
>
> The Server to Server works fine. However, the Client to Server seems 
> to be useless as here is the behavior I get :
>
>   *   Client using a declared user on the server + good password CAN
> connect
>   *   Client using a declared user on the server + bad password CANNOT
> connect
>   *   Client using a non  declared user on the Server CANNOT connect
> so far so good... but :
>
>   *   Client using NO user at all CAN connect !!!
>


This is expected. Client auth is mostly used together with ACLs, otherwise 
AFAIK is pretty useless in ZK.

Please not that MD5 is not "secure" at all, and consider using SASL/Kerberos 
for a production environment.

Cheers
Enrico


>
> Any hint ?
>
>

Reply via email to