These are chat archives for allegro/hermes

1st
Feb 2017
Stevo Slavić
@sslavic
Feb 01 2017 13:49
hi there
Hermes uses Curator a lot as ZK client, and different receipes
one nice feature I didn't know was there already, was support for authentication, using digest scheme
Stevo Slavić
@sslavic
Feb 01 2017 13:54
would be nice if setting ACLs on Hermes ZK nodes was also supported, especially since it's possible to manage/store secrets with Hermes in ZK, like basic auth credentials
Kafka allows everyone, even unauthenticated clients to read, while owner/creator of ZK node (Kafka server) is only one allowed to create/read/delete/update Kafka ZK ndoes
Adam Dubiel
@adamdubiel
Feb 01 2017 13:59
okay, so what you actually want is restricting access to certain nodes
Stevo Slavić
@sslavic
Feb 01 2017 14:00
would be easiest to restrict access to all /hermes tree nodes
and unlike Kafka's approach, have just one ACL, about creator having all permissions
so without allowing "world" even to read
Adam Dubiel
@adamdubiel
Feb 01 2017 14:01
yes, but in our case - we added this digest because we got username/passwd and acld root node (/hermes) from ZK admin
Stevo Slavić
@sslavic
Feb 01 2017 14:01
that's simplest approach, but surely could be improved on the idea, as long as subscription details are not accessible by world
Adam Dubiel
@adamdubiel
Feb 01 2017 14:02
but you don't want to set this ACL manually on node and would rahter have hermes-management create proper acls when creating it for the first time?
Stevo Slavić
@sslavic
Feb 01 2017 14:02
yes
ZK node ACLs are not inheritable, so every node has it's own completely independent ACL
would be nice to have a script/tool, just like Kafka has, to set/unset/list ACLs
migration process with Kafka ZK ACLs is in 4 steps - configure ZK server with credentials, configure ZK clients with credentials, configure Kafka/Hermes to start setting ACLs on new/updated nodes, and then run script to set ACLs on existing ZK tree
Adam Dubiel
@adamdubiel
Feb 01 2017 14:06
yes, you are right, we would need to start setting ACLs everywhere to be serious about it
we didn't care about it too much so far
but maybe this is the right time, given ouath/basic auth details on subscriptions
Stevo Slavić
@sslavic
Feb 01 2017 14:07
all clear
so if you agree I can create feature request on github
Adam Dubiel
@adamdubiel
Feb 01 2017 14:09
allegro/hermes#702
just did - comment on it if it is not clear
Stevo Slavić
@sslavic
Feb 01 2017 14:10
ah, great, thanks
we had initial take on this, introduced extra config property consistent with Kafka and existing Hermes ZooKeeper config properties to allow control over whether ACLs should be set or not, and adjusting CuratorClientFactory to build CuratorFramework instances with custom ACL provider was easy
hit a wall with authentication, and before asking on Curator mailing list, thought maybe you guys might know already
seems Hermes assumes and supports digest scheme only
while I'm trying to use sasl scheme instead
Stevo Slavić
@sslavic
Feb 01 2017 14:15

just configuring:
-Dzookeeper.authorization.enabled=true
-Dzookeeper.authorization.scheme=sasl
-Dzookeeper.authorization.user=foo
-Dzookeeper.authorization.password=bar

doesn't seem to be enough or appropriate

ZooKeeperServer just rejects such connections
with Authentication failed for scheme: sasl
Stevo Slavić
@sslavic
Feb 01 2017 14:20
since SASLAuthenticationProvider returns error code, because of wrong configuration authentication happens at wrong moment
http://svn.apache.org/viewvc/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java?view=markup#l30
so I'm not sure if it's a Curator bug, or authentication, in case of sasl scheme, should be configured somewhere else, so not on CuratorFrameworkFactory.Builder level https://github.com/allegro/hermes/blob/master/hermes-common/src/main/java/pl/allegro/tech/hermes/common/di/factories/CuratorClientFactory.java#L58
thinking that maybe in case of sasl scheme, authorization should not be configured to Curator at all, other than providing jaas config file and pointing JVM to use it via java.security.auth.login.config Java system propert
Adam Dubiel
@adamdubiel
Feb 01 2017 14:25
i never used sasl in ZK, so don't know what is going on
Stevo Slavić
@sslavic
Feb 01 2017 14:25
ok, clear, thanks
digest works, but creates suboptimal ACLs for creator - ACL is pair of authorization ID and permissions, with digest scheme not only user but user:password digest is used as id, and then I'm worried that once password needs to be changed, same user will no longer be able to access same nodes it created
Adam Dubiel
@adamdubiel
Feb 01 2017 14:31
yes, i understand the concern, not my favourite way of securing stuff either
Stevo Slavić
@sslavic
Feb 01 2017 14:32
will explore, and if there changes needed to support sasl along with digest scheme in Hermes, will get back to you
Adam Dubiel
@adamdubiel
Feb 01 2017 14:33
okay, we will tacke the root problem in the meantime
Stevo Slavić
@sslavic
Feb 01 2017 14:34
thank you very much