Reputation: 13471
ZooKeeper Digest Authentication - Secure Alternative?
I would like to have services authenticate with ZooKeeper with some credentials, so that they can access configuration information.
Digest authentication is not secure enough for my requirements: "Authentication is done by sending the username:password in clear text".
Is there a simple and secure alternative already available? I am able to use Curator, and the project is Java-based.
If not, what steps would be involved in creating my own authentication method? Implement AuthenticationProvider, set zookeeper.authProvider.1 on the servers to use this provider, and then pass whatever authentication token (perhaps a username/password hash) to the CuratorFrameWorkFactory builder as the byte[] parameter?
Upvotes: 2
Views: 3867
Answers (2)
Reputation: 155
The ZooKeeper documentation says to set this property to use Netty: zookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
I looked at the source code for NettyServerCnxnFactory and it's inner class "CnxnChannelHandler" and it is apparent that the existing Zookeeper code in 3.4.5 has no built-in ability to be "configured" to use SSL.
I'm guessing here... but one possible way to use SSL is to sub-class Zookeeper's NettyServerCnxnFactory and add the code necessary to use Netty's SSL capabilities. Then set the zookeeper property to point to your new connection factory.
Upvotes: 1
Reputation: 5537
Use digest (or even basic auth) over HTTPS. Let transport layer encryption handle your security concerns. Trying to roll your own application layer crypto is both hard and very likely to result in security holes.
UPDATE:
Regarding zookeeper and SSL. According to the zookeeper site:
New in 3.4: Netty is an NIO based client/server communication framework, it simplifies (over NIO being used directly) many of the complexities of network level communication for java applications. Additionally the Netty framework has built in support for encryption (SSL) and authentication (certificates). These are optional features and can be turned on or off individually.
The zookeeper documentation is a bit sparse on configuration, I suggest you look at the Netty documentation instead.
Upvotes: 2
Related Questions
- Good Zookeeper Hello world Program with Java client
- Zookeeper on Windows
- Curator 5.x with Zookeeper client 3.5.x and Zookeeper server 3.4.x
- org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = InvalidACL for /f
- Securing zookeeper, where to start?
- ZooKeeper Recipes and Apache Curator
- How to create zookeeper auth mechanism?
- ZooKeeper alternative for .net
- Apache Curator Distributed Lock
- Zookeeper java username password