-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jan,
On 9/16/18 16:22, Jan Høydahl wrote: > We plan to enable (digest) authentication and ACL with Zookeeper to > improve security. Can you be more explicit? There is HTTP DIGEST auth and then there are "digested" (hashed) passwords for the user-database. The former is secure on the wire and the other one is wire-agnostic. > However, we have not been able to answer the question of how secure > such a setup will be, given that ZK 3.4.x TCP communication is > unencrypted. > > So, do anyone know if ZK sends the password in cleartext over the > network, so that anyone who can sniff the network can also pick up > the password, and connect and read/write nodes in ZK? > > We'll of course add all the firewall and IP filtering we can. Do > you have any other tricks you use to increase ZK security? I'm not using ZK (yet) so this may be supremely ignorant since I don't know what protocol it uses to communicate: I would recommend using mutual-TLS authentication everywhere. I have just deployed such a system (single-node, no cluster/ZK) and all of the communication for both admin and querying are over client-authenticated TLS. Even if an attacker gets onto the box where Solr is running, they cannot attack it without also breaking filesystem privileges or exploiting the users who have access to the Solr client key stores. (I just did a little Googling and it looks like only ZK 3.5+ has TLS available. At any rate, that should be your target for the future if you really want a secure environment. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluewOgACgkQHPApP6U8 pFiE1g/8CiRxFySxCPZRU+OdGaw5JjtMNGs3oBDaf75LIQYDnsXAU9wJFjaEKymD snceusjikN85XyPIFBWLhbWvrdjKhJxm29q8xqqnwTkY1WmGis53Es9NHyT/I1UX dY3UGAbf148+ZR6NtCFDQPVQtKKfHqE/VAl2bJzMARTC1nPS3v3mtgKEbrAC5ZqX WMMkb6pOFH58Yj7jeEdHi/y8MKEOeXV3MynWrsSRqGsJsG4Ms55pdBvWtZmIZR+c 0sM4d7zUl18/JjP82YvhhHvHW0IQL+TGKLE1s22p6JRrMU9fzcxNoD9b1r9WORGl UixQETpBPkKw+VWXBesTxTNkprddMH6oGzm2KkWb9zOH0BehF/ChjB1W0vnC7RXB lEKWdNkwbLfrP1r+plpy2aVc3PV0lw3jsJdxLf3tMTEPgzeU6wweiJR+YMW6J0iS 4TWFouuL6yGSY7jT99lW+CmBfKHGEXoUlrxS2WSM9BvYuV8pJvzVuEkb1PmXUQdI rgQIW30Vk0jDwS6SMxdOy/TkbCDAV9dFqsqmYFTSN9W8jBdSx9RevOPnJyVnvCvI qq96sTqhPa0iSHYWWK5PAzZAvfbcRmohcut/1ZWml1pNZlZzBT0QGQUJm9CzXfS7 v6FNf7PrpIiqOlai1Js67Fm6QrWzjGPVhDl474Q1tAG1rFU2cSM= =U0Fj -----END PGP SIGNATURE-----
