How to secure zookeeper?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to secure zookeeper?

Novin Novin
Hi Guys,

I'm newbie to zookeeper. I have setup zookeeper ensemble for SolrCloud and
using acls.

But I'm worry about here for security of 4 character commands. I am able to
run 4 character from outside of ensemble and also able to connect with
zookeeper.   I really don't want to turn off these commands because these
are really handy for administration.

Is there any way to protect those 4 character commands for zookeeper other
than firewall?

Any help would be appreciated.

Cheers,
Navin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to secure zookeeper?

Novin Novin
One more thing I like to add I'm using zookeeper version 3.4.8
On Wed, 31 May 2017 at 09:32 Novin Novin <[hidden email]> wrote:

> Hi Guys,
>
> I'm newbie to zookeeper. I have setup zookeeper ensemble for SolrCloud and
> using acls.
>
> But I'm worry about here for security of 4 character commands. I am able
> to run 4 character from outside of ensemble and also able to connect with
> zookeeper.   I really don't want to turn off these commands because these
> are really handy for administration.
>
> Is there any way to protect those 4 character commands for zookeeper other
> than firewall?
>
> Any help would be appreciated.
>
> Cheers,
> Navin
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to secure zookeeper?

Flavio Junqueira-3
This is not exactly what you are after, but in 3.4.10 you can whitelist specific commands, see the documentation here:

    https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html <https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html>

and search for:
    4lw.commands.whitelist
Otherwise, I don't know how else you'd be able to protect access to 4lw other than use a firewall.

-Flavio

> On 31 May 2017, at 10:34, Novin Novin <[hidden email]> wrote:
>
> One more thing I like to add I'm using zookeeper version 3.4.8
> On Wed, 31 May 2017 at 09:32 Novin Novin <[hidden email]> wrote:
>
>> Hi Guys,
>>
>> I'm newbie to zookeeper. I have setup zookeeper ensemble for SolrCloud and
>> using acls.
>>
>> But I'm worry about here for security of 4 character commands. I am able
>> to run 4 character from outside of ensemble and also able to connect with
>> zookeeper.   I really don't want to turn off these commands because these
>> are really handy for administration.
>>
>> Is there any way to protect those 4 character commands for zookeeper other
>> than firewall?
>>
>> Any help would be appreciated.
>>
>> Cheers,
>> Navin
>>
>>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to secure zookeeper?

Novin Novin
thanks Flavio

On Sat, 3 Jun 2017 at 16:11 Flavio Junqueira <[hidden email]> wrote:

> This is not exactly what you are after, but in 3.4.10 you can whitelist
> specific commands, see the documentation here:
>
>     https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html <
> https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html>
>
> and search for:
>     4lw.commands.whitelist
> Otherwise, I don't know how else you'd be able to protect access to 4lw
> other than use a firewall.
>
> -Flavio
>
> > On 31 May 2017, at 10:34, Novin Novin <[hidden email]> wrote:
> >
> > One more thing I like to add I'm using zookeeper version 3.4.8
> > On Wed, 31 May 2017 at 09:32 Novin Novin <[hidden email]> wrote:
> >
> >> Hi Guys,
> >>
> >> I'm newbie to zookeeper. I have setup zookeeper ensemble for SolrCloud
> and
> >> using acls.
> >>
> >> But I'm worry about here for security of 4 character commands. I am able
> >> to run 4 character from outside of ensemble and also able to connect
> with
> >> zookeeper.   I really don't want to turn off these commands because
> these
> >> are really handy for administration.
> >>
> >> Is there any way to protect those 4 character commands for zookeeper
> other
> >> than firewall?
> >>
> >> Any help would be appreciated.
> >>
> >> Cheers,
> >> Navin
> >>
> >>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to secure zookeeper?

hanm
We just published a blog about 4lw and security today which provides more
context about history and possible solutions, hope this also helps.

https://blog.cloudera.com/blog/2017/06/apache-zookeeper-four-letter-words-and-security/

On Sat, Jun 3, 2017 at 9:43 AM, Novin Novin <[hidden email]> wrote:

> thanks Flavio
>
> On Sat, 3 Jun 2017 at 16:11 Flavio Junqueira <[hidden email]> wrote:
>
> > This is not exactly what you are after, but in 3.4.10 you can whitelist
> > specific commands, see the documentation here:
> >
> >     https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html <
> > https://zookeeper.apache.org/doc/r3.4.10/zookeeperAdmin.html>
> >
> > and search for:
> >     4lw.commands.whitelist
> > Otherwise, I don't know how else you'd be able to protect access to 4lw
> > other than use a firewall.
> >
> > -Flavio
> >
> > > On 31 May 2017, at 10:34, Novin Novin <[hidden email]> wrote:
> > >
> > > One more thing I like to add I'm using zookeeper version 3.4.8
> > > On Wed, 31 May 2017 at 09:32 Novin Novin <[hidden email]> wrote:
> > >
> > >> Hi Guys,
> > >>
> > >> I'm newbie to zookeeper. I have setup zookeeper ensemble for SolrCloud
> > and
> > >> using acls.
> > >>
> > >> But I'm worry about here for security of 4 character commands. I am
> able
> > >> to run 4 character from outside of ensemble and also able to connect
> > with
> > >> zookeeper.   I really don't want to turn off these commands because
> > these
> > >> are really handy for administration.
> > >>
> > >> Is there any way to protect those 4 character commands for zookeeper
> > other
> > >> than firewall?
> > >>
> > >> Any help would be appreciated.
> > >>
> > >> Cheers,
> > >> Navin
> > >>
> > >>
> >
> >
>



--
Cheers
Michael.
Loading...