Thank you all for your suggestions. On Tue, Jun 16, 2020, 5:56 AM Szalay-Bekő Máté <[email protected]> wrote:
> :) > > just some info from https://zookeeper.apache.org/security.html > > " If you have any concern or believe you have uncovered a vulnerability, we > suggest that you get in touch via the e-mail address > [email protected]. In the message, try to provide a > description > of the issue and ideally a way of reproducing it. (...) Please report any > security problems to the project security address before disclosing it > publicly. " > > Kind regards, > Mate > > On Tue, Jun 16, 2020 at 1:36 PM ashish soni <[email protected]> > wrote: > > > Good suggestions Mate. We are in progress to implement both (SSL AND > SASL). > > Will try to pan out some destructive cases to test it out :) > > > > On Tue, Jun 16, 2020, 4:07 AM Szalay-Bekő Máté < > [email protected] > > > > > wrote: > > > > > Also the best is to use QuorumSASL or QuorumSSL to make sure the > > ZooKeeper > > > server-to-server communication is secure and noone who is not trusted > can > > > connect and gain access to the quorum. > > > > > > However, if one is using QuorumSASL or QuorumSSL then it is still > > possible > > > that a DOS attack can hit the ZooKeeper port causing problems. But that > > can > > > again be solved by firewalls I think. > > > > > > On Tue, Jun 16, 2020 at 12:49 PM Szalay-Bekő Máté < > > > [email protected]> wrote: > > > > > > > > Mate, suppose we do set quorumListenOnAllIPs to true. Will the > > > zookeeper > > > > still connect and form a quorum with only the static or dynamic > server > > > > connection strings or it can connect and form a quorum with any IP > > > address > > > > outside the server connection strings as it is allowed to bind with a > > > > 0.0.0.0 interface? > > > > > > > > This is a good question. I think there is a chance that one can > > "intrude" > > > > this way. Although I wouldn't give more tips on the mailing list. :) > > > > The best is to protect the ZooKeeper internal network using > firewalls. > > > The > > > > election port and leader port should be reachable only by other > > ZooKeeper > > > > server hosts. > > > > > > > > Regards, > > > > Mate > > > > > > > > On Tue, Jun 16, 2020 at 12:24 PM ashish soni < > > [email protected] > > > > > > > > wrote: > > > > > > > >> Hi, > > > >> > > > >> Mate, suppose we do set quorumListenOnAllIPs to true. Will the > > zookeeper > > > >> still connect and form a quorum with only the static or dynamic > server > > > >> connection strings or it can connect and form a quorum with any IP > > > address > > > >> outside the server connection strings as it is allowed to bind with > a > > > >> 0.0.0.0 interface? > > > >> > > > >> Ram, I think you don't need to add this if you have a static IP > config > > > or > > > >> using 3.6+. If you feel it is a security issue for the organization, > > try > > > >> ZK > > > >> 3.6.1 without setting that config. > > > >> > > > >> Regards, > > > >> Aishwarya Soni > > > >> > > > >> On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté < > > > >> [email protected]> > > > >> wrote: > > > >> > > > >> > Hi Ram, > > > >> > > > > >> > > all i want to know is by enabling this property there are no > side > > > >> effects > > > >> > or security risks. > > > >> > > > > >> > well, this is something for you (or for your security team) to > > > evaluate. > > > >> > E.g. if your hosts have multiple network interfaces with both > > > "private" > > > >> and > > > >> > "public" networks attached, then I can consider setting > > > >> > quorumListenOnAllIPs=true to be a security risk. Of course you can > > > block > > > >> > the public access with proper firewall rules. > > > >> > > > > >> > But usually ZooKeeper is deployed in some secure / core > > > infrastructure, > > > >> > well protected from DOS / other attacks, in which > > > >> > case quorumListenOnAllIPs=true is not a real security risk. > > > >> > > > > >> > This is something we (the ZooKeeper community) will not be able to > > > >> tell, as > > > >> > this depends on your network topology and your security protocols. > > We > > > >> can > > > >> > only help in explaining what this config is doing. > > > >> > > > > >> > Kind regards, > > > >> > Mate > > > >> > > > > >> > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > > > >> > [email protected]> wrote: > > > >> > > > > >> > > Mate, > > > >> > > > > > >> > > Thanks for explaining, all i want to know is by enabling this > > > property > > > >> > > there are no side effects or security risks. > > > >> > > > > > >> > > Ram > > > >> > > > > > >> > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > > > >> > > [email protected]> wrote: > > > >> > > > > > >> > > > Hi Ram, > > > >> > > > > > > >> > > > I am not sure I understand your question. The config > > > >> > quorumListenOnAllIPs > > > >> > > > is about to specify if the ports ZooKeeper uses for > > > Server-to-server > > > >> > > > communication should bind on the specified address/IP > > > >> > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 > > > >> (quorumListenOnAllIPs=true). > > > >> > > > > > > >> > > > An example: You configure your server list using either static > > or > > > >> > dynamic > > > >> > > > configuration like: > > > >> > > > server.1=a.foo.com:2888:3888 > > > >> > > > server.2=b.foo.com:2888:3888 > > > >> > > > ... > > > >> > > > > > > >> > > > In this case when server.2 starts, it reads the config then > > > >> initiates > > > >> > > > connection (for ZK internal leader election protocol) to > > server.1 > > > by > > > >> > > > connecting to a.foo.com:3888 and sending it's own address ( > > > >> > > b.foo.com:3888) > > > >> > > > enabling server.1 to connect back. However, if server.2 is > > behind > > > a > > > >> > > proxy / > > > >> > > > using kubernetes / whatever, then it is possible that you can > > > reach > > > >> > > > server.2 as b.foo.com but the ZK process on server.2 can not > > > >> actually > > > >> > > bind > > > >> > > > on b.foo.com:3888. In this case the easiest solution is to > bind > > > on > > > >> > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the > > config > > > >> file > > > >> > > of > > > >> > > > server 2, since in this case server.2 would send 0.0.0.0:3888 > > in > > > >> the > > > >> > > > initial message to server.1 and server.1 would try to connect > > back > > > >> to > > > >> > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this > case > > > it > > > >> > comes > > > >> > > > handy to set quorumListenOnAllIPs=true which will cause > > ZooKeeper > > > to > > > >> > bind > > > >> > > > on 0.0.0.0:3888 and still send a 'valid' address in the > initial > > > >> > message, > > > >> > > > an > > > >> > > > address where other servers can reach it. > > > >> > > > > > > >> > > > I hope the explanation made it more (and not less) clear :p > > > >> > > > > > > >> > > > Kind regards, > > > >> > > > Mate > > > >> > > > > > > >> > > > > > > >> > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > > > >> > > > [email protected]> wrote: > > > >> > > > > > > >> > > > > Hi, > > > >> > > > > > > > >> > > > > I am trying to see what are the pros and cons of setting > > > >> > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in > > mtls > > > or > > > >> > > local > > > >> > > > > proxy environments is not working by keeping default value > > > >> (false). > > > >> > So > > > >> > > > can > > > >> > > > > someone please explain? > > > >> > > > > > > > >> > > > > Any way zookeeper will form quorum with the servers list > from > > > the > > > >> > > > zoo.conf > > > >> > > > > static file right? so by enabling this property can any > server > > > or > > > >> IP > > > >> > > out > > > >> > > > of > > > >> > > > > the zoo.conf can join the quorum? > > > >> > > > > > > > >> > > > > Ram > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > > > > >
