Securing zookeeper, where to start?

Asked 19/8, 2015 at 21:41 Answered 5/10, 2018 at 12:37

I feel lost trying to figure out what my options are. Apache's programmers guide and administrators guide do not detail anything substantial. My O'Reilly Zookeeper book barely talks about security... did I miss something? I was hoping to find tutorials through google about authenticating client connections, authorizing actions, and encrypting messages sent between zookeepers and client.

Rattle answered 19/8, 2015 at 21:41 Comment(0)

I had a lot of trouble but I figured it out and the links at the bottom where a huge help to me.

This code (using Curator) was something hard to figure out:

List<ACL> myAclList = new ArrayList<ACL>();
aclList.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS));
client.create(withACL(myAclList)).forPath(myPath);

If I setup the zookeeper configuration correctly, then it will enforce that only the AUTH_IDS will be allowed to access my ZNode.

Ofiicial documentation, My mailing list Q1, My mailing list Q2, JIRA that I found useful, but some items are out of date

Rattle answered 28/8, 2015 at 14:24 Comment(1)

Did you get enable authentication in zk? could you please give me more details? – Gasperoni 8/4, 2016 at 13:48

Since zookeeper version 3.5.4-beta, you are able to enable using client certificates to secure communication to a remote zookeeper server:

Client

ZooKeeper client can use Netty by setting Java system property:

zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty"

In order to do secure communication on client, set this Java system property:

zookeeper.client.secure=true

Note that with "secure" property set the client could and should only connect to server’s “secureClientPort” which will be described shortly.

Then set up keystore and truststore environment by setting the following Java system properties:

zookeeper.ssl.keyStore.location="/path/to/your/keystore"
zookeeper.ssl.keyStore.password="keystore_password"
zookeeper.ssl.trustStore.location="/path/to/your/truststore"
zookeeper.ssl.trustStore.password="truststore_password"

Server

ZooKeeper server can use Netty by setting this Java system property:

zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory"

ZooKeeper server also needs to provide a listening port to accept secure client connections. This port is different from and running in parallel with the known “clientPort”. It should be added in “zoo.cfg”:

secureClientPort=2281

All secure clients (mentioned above) should connect to this port.

Then set up keystore and truststore environment like what client does.

More info here: https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

Herzegovina answered 5/10, 2018 at 12:37 Comment(1)

Is it working on windows server? I did as you described and Im getting error: 2019-12-26 13:57:16,381 [myid:] - ERROR [main:ZooKeeperServerMain@66] - Invalid arguments, exiting abnormally java.lang.NumberFormatException: For input string: "E:\apache-zookeeper-3.5.6-bin\bin\..\conf\zoo.cfg" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) – Excursive 26/12, 2019 at 12:4

Recommended topics

Hot tags