×
Community Blog ZooKeeper Practice: Master the Authentication Mode of ZooKeeper

ZooKeeper Practice: Master the Authentication Mode of ZooKeeper

The article introduces best practices for securing ZooKeeper instances with SASL to prevent data theft, leakage, and tampering.

By Zikui

1. Is Your ZooKeeper Safe?

Against the backdrop of frequent network security incidents, the construction of security protection has become a top priority in daily development and O&M. ZooKeeper stores sensitive system instance information and configuration data, but traditional usage does not provide ZooKeeper with a mandatory authentication mechanism, so ZooKeeper's internal data may be exposed to cyberspace. If not handled with care, any entity with network access can read and even tamper with the data in ZooKeeper, posing significant security risks.

Use Case

A company that self-deploys ZooKeeper found that when using ZooKeeper, it neglected to set an appropriate Access Control List (ACL) and identity authentication capability for internally sensitive data. At the same time, it did not disable the "four-character commands" that have potential security risks. As a result, the ZooKeeper data was completely exposed to the network, and anyone who could access this network could connect and operate the data in Zookeeper. In this scenario, due to the significant security risks, the security team required rectification within a specified time.

1

2. Highly Complex and Risked to Transform and Upgrade Zookeeper Security Capabilities by Yourself

(1) Common ACL Modification: Cumbersome and Complex to Manage

ZooKeeper inherently provides the capabilities of identity authentication and fine-grained ACL. Even with the default configuration, it can support various authentication modes, including Digest, IP, and World. Developers can provide authentication information and set the corresponding ACL for specific Znodes when initializing the connection, which can effectively limit the client access permissions to Znodes. However, although this mechanism is powerful, it is relatively complicated to use in practice. Configuring ACL separately for each Znode means that as the number of Znodes increases, especially when the business logic is complex, the management work will become extremely heavy and error-prone.

(2) Manual Configuration with SASL: Risky and O&M-Complex

ZooKeeper also provides support for SASL (Simple Authentication and Security Layer) authentication mode which can implement an authentication mechanism based on username and password through simple server and client configurations. SASL is a protocol that supports identity authentication and secure data transmission. In Java, there has already been a set of interface implementations based on this protocol. With these interface implementations, ZooKeeper has achieved the SASL authentication function which allows developers to seamlessly integrate with the SASL authentication mechanism by dynamically reading and applying the configure file and enhance the security of ZooKeeper without modifying the existing code.

2

When using the SASL authentication mode, the client and server establish a secure connection through related configurations: only clients with valid authentication information are allowed to connect to the ZooKeeper server and perform data operations. This effectively enhances data security and avoids exposing data in ZooKeeper to the entire network.

However, the actual deployment of the SASL authentication mechanism requires manual server-side configuration work, and its configuration rules are quite complex, which can easily lead to errors during the setup process and cause node exceptions. In addition, the configuration of identity information for SASL authentication also requires continuous manual maintenance, which increases the difficulty and complexity of O&M.

3. MSE Standardized Process: Easily and Quickly Reinforce the Cluster's Security Capabilities

MSE integrates with SASL configuration management capabilities through a standardized process, shielding the complexity of underlying clusters and client configuration. This allows users to access SASL authentication capabilities simply by visualized configurations and client configurations.

3

MSE integrates with SASL management capabilities, making it convenient for users to quickly connect and enhancing the security capabilities of the cluster

To make it easier for users to utilize the SASL authentication, MSE simplifies the complex server configuration steps and abstracts them into simple visible operations. Users only need to perform a few steps on the MSE console to easily activate the server's SASL authentication feature. At the same time, the MSE console will automatically generate client configurations and guide users to simply set parameters, allowing applications to access SASL capabilities without delving into tedious technical details, thereby enhancing the security capabilities of ZooKeeper.

4
Configure SASL user information with one click on the MSE console to mask the complex configurations of ZooKeeper

5
Enable mandatory SASL identity verification and disable four-character commands for sensitive information with one click through parameter configurations

After enabling the mandatory SASL authentication on both the server and client sides, clients without user information configuration or those that have incorrect user information cannot connect to the ZooKeeper Server. At the same time, MSE provides user management and password rotation capabilities, allowing for quick rotation and user deactivation when necessary.

With the above configurations, the cluster will force SASL identity authentication for clients, and clients who can’t pass the authentication cannot initiate requests to the server. This effectively reduces the risk of internal data leakage in the Zookeeper instance and also lowers the risk and complexity of manual operations.

4. Compatible with Multiple Scenarios

(1) Dubbo

With Dubbo, you can configure SASL identity authentication capabilities in this way. In the usage scenario of Dubbo, it is necessary to ensure that the ZooKeeper dependency version is 3.4.x or above. The configuration process is the same as the general method of using the ZooKeeper client.

(2) SpringCloud

By default, all versions of the spring-cloud-starter-zookeeper-discovery dependency used by SpringCloud are supported. The configuration process is the same as the general method of using the ZooKeeper client.

(3) Kafka

SASL authentication is supported by Zookeeper clients of all Kafka versions. The configuration process is the same as the general method of using the ZooKeeper client.

(4) Big Data Ecology

Big data components that depend on ZooKeeper, such as Hadoop, HBase, and Hive are supported. (The version of ZooKeeper that these components depend on must be 3.4.x or above.)

(5) All scenarios Based on the ZooKeeper Java Client

Access to SASL is supported in other scenarios where ZooKeeper java SDK is used in the application. (The ZooKeeper dependency version is 3.4. X or above.)

5. Summary

As the core middleware of applications, ZooKeeper stores sensitive data in business processes and plays a critical role. Correct and standardized usage is essential to ensure data security. Otherwise, it may cause internal data leakage due to improper operation, which will pose serious security risks. Therefore, in the daily O&M and use of ZooKeeper, a standardized and secure operation is particularly critical to strengthen enterprise security protection and capacities. To achieve this goal, MSE provides a set of standardized processes to help users utilize ZooKeeper more safely and easily. This accelerates the improvement of enterprise security capabilities and minimizes the risks that may occur during the change process.

Previous Articles

0 1 0
Share on

You may also like

Comments

Related Products