New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-3959: Add support for multiple SASL-authenticated super users #1503
Conversation
@symat, @eolivelli: PTAL. Regarding comma-separated identifiers: I see that some existing code and this fresh contribution already assume that IDs are comma-less. |
return false; | ||
} | ||
|
||
for (String superId : superUser.split(",")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to be 100% compatible....what about using a list of properties
- zookeeper.superUser=foo
- zookeeper.superUser.1=foo2
- zookeeper.superUser.2=foo3
- zookeeper.superUser.3=foo4
we will also be supporting comma as we won't have any special character
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this! (Particularly since there is a precedent. Sorta.)
This is only for debug/print purposes |
Unfortunately—and independently of the syntax issue—I'm afraid that this is not true anymore… These strings end up, notably, in audit logs—and those are likely to be parsed by downstream tools (as opposed to eyeballed by "human debuggers"). Worse: I just noticed that one could generate very misleading audit logs just by doing, e.g.:
which results in entries such as:
I added a similar comment on PR 1504, which, if merged, would further extend the reach of these strings. It seems to me that What do you think? |
Honestly I don't see this to be a huge problem... I don't know how frequently is it to configure digest user names in this "misleading" fashion. (Also I only saw SASL scheme on the secure clusters of our customers...). Anyway, I'm happy if these printouts gets improved. But maybe we should stick to a backward-compatible solution, by making this configurable and behaving in the "old ways" by default. What about making an other Jira for this? |
Hi @symat,
I don't think it is a huge problem, but didn't want to stay silent as I noticed that audit logs could be spammed. I understand that nobody expects ZooKeeper to be able to withstand advanced malicious adversaries, but I'd rather plug the holes unless there is a serious reason not to.
I may be missing something here, but isn't it currently impossible to disable the Note that I just tried, it is even possible to insert newlines in there just using
(I'd be curious to know/understand if you cannot reproduce that on the aforementioned clusters.)
Sure.
Fine, but I'd include suggested mitigations (if/when we have some) in the docs.
Yeah, that is the plan, and I'm happy to provide patch(es). I just wanted to sanity check my findings. |
Thanks for your tests / feedback! I think it would worth to create a separate Jira for these issues indeed.
sure, I agree
I don't know if this is a problem or not. Having the auth providers enabled doesn't mean you have to use them. In our secure clusters we use TLS for wire encryption and SASL/kerberos to identify the users. Then each client is protecting it's zNodes by setting the ACLs (enabling access only to the given kerberos principals). So even if a user authenticate itself with digest or IP, it won't get access to any zNodes. On the other hand, I can accept that it should be configurable to disable these providers. They should remain enabled by default, but having two new config parameters to disable them make sense for me.
This indeed seems to be wrong. |
@ztzg I just realized this PR is for branch-3.6. Would you mind create a PR to the master branch? And when it gets merged there, then we can backport it to 3.6. |
Now ZOOKEEPER-3979.
Sure, will do. (I had already heard of that "best practice," and applied it exactly backwards. Oh well…) |
a8bf261
to
8693225
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks! +1
zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
Outdated
Show resolved
Hide resolved
8693225
to
3287840
Compare
3287840
to
d9ed321
Compare
Edited the PR's description as it ends up in merged commits. It used to be:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good work, I left just one nit about a typo, it is worth to fix it, as no one else will every change it in the future
String prevSection = System.setProperty(ZKClientConfig.LOGIN_CONTEXT_NAME_KEY, "OtherClient"); | ||
|
||
// KLUDGE: We do this quite late, as the server has been | ||
// started at this point--but current the implementation looks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "but current the implementation looks"
-> "but the implementation currently looks"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed; thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I'll merge this if I get a green CI.)
This mirrors the log statement in 'X509AuthenticationProvider', but it also logs the session ID to be "compliant" with ZOOKEEPER-2649.
This is the meat of the patch series. With it, a 'superUser' property containing commas is interpreted as multiple IDs to match against. (Note that this is not a strictly backwards compatible change, as SASL IDs can, in theory, contain commas--e.g., in DIGEST-MD5; see https://tools.ietf.org/html/rfc2831#section-2.1.2. But that is also true for Kerberos.)
(Not a pure refactoring as we do not reset the static variables to null, but that shouldn't matter and complicates things.)
This new function will be reused in a subsequent commit.
d9ed321
to
62901e1
Compare
We are used to not merge our own patches. |
I see. Good policy. I was hesitating, and did not want this to look like I had abandoned it. There is no hurry at all, indeed; don't worry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks! |
This implements a simple variant of the "multiple SASL-authenticated super users" functionality discussed on ticket ZOOKEEPER-3959. With this patch, properties matching `zookeeper.superUser.*` are considered, in addition to `zookeeper.superUser`, to determine whether an authenticated ID should be given `super` privileges. As before, `super` privileges remain a sharp tool and should be avoided where possible--but where necessary, allowing multiple IDs makes audit logs more useful. (Many thanks to eolivelli and symat for their comments and suggestions.) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1503 from ztzg/ZOOKEEPER-3959-multiple-superusers
This implements a simple variant of the "multiple SASL-authenticated super users" functionality discussed on ticket ZOOKEEPER-3959. With this patch, properties matching `zookeeper.superUser.*` are considered, in addition to `zookeeper.superUser`, to determine whether an authenticated ID should be given `super` privileges. As before, `super` privileges remain a sharp tool and should be avoided where possible--but where necessary, allowing multiple IDs makes audit logs more useful. (Many thanks to eolivelli and symat for their comments and suggestions.) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1503 from ztzg/ZOOKEEPER-3959-multiple-superusers
This implements a simple variant of the "multiple SASL-authenticated super users" functionality discussed on ticket ZOOKEEPER-3959. With this patch, properties matching `zookeeper.superUser.*` are considered, in addition to `zookeeper.superUser`, to determine whether an authenticated ID should be given `super` privileges. As before, `super` privileges remain a sharp tool and should be avoided where possible--but where necessary, allowing multiple IDs makes audit logs more useful. (Many thanks to eolivelli and symat for their comments and suggestions.) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1503 from ztzg/ZOOKEEPER-3959-multiple-superusers
This implements a simple variant of the "multiple SASL-authenticated super users" functionality discussed on ticket ZOOKEEPER-3959. With this patch, properties matching `zookeeper.superUser.*` are considered, in addition to `zookeeper.superUser`, to determine whether an authenticated ID should be given `super` privileges. As before, `super` privileges remain a sharp tool and should be avoided where possible--but where necessary, allowing multiple IDs makes audit logs more useful. (Many thanks to eolivelli and symat for their comments and suggestions.) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes apache#1503 from ztzg/ZOOKEEPER-3959-multiple-superusers
This implements a simple variant of the "multiple SASL-authenticated super users" functionality discussed on ticket ZOOKEEPER-3959.
With this patch, properties matching
zookeeper.superUser.*
are considered, in addition tozookeeper.superUser
, to determine whether an authenticated ID should be givensuper
privileges.As before,
super
privileges remain a sharp tool and should be avoided where possible--but where necessary, allowing multiple IDs makes audit logs more useful.(Many thanks to @eolivelli and @symat for their comments and suggestions.)