Author Archives: Michael Han

Apache ZooKeeper Four Letter Words and Security

Categories: ZooKeeper

The Security Problem

Four Letter Words (acronym as 4lw) is a very popular feature of the Apache ZooKeeper project. In a nutshell, 4lw is a set of commands that you can use to interact with a ZooKeeper ensemble through a shell interface. Because it’s simple and easy to use, lots of ZooKeeper monitoring solutions are built on top of 4lw.

The simplicity of 4lw comes at a cost: the design did not originally consider security,

Read more

Apache ZooKeeper 3.5.3-beta Has Been Released

Categories: ZooKeeper

The Apache ZooKeeper team has announced that Apache ZooKeeper release 3.5.3-beta is now available! This release is the first beta release of the 3.5 series, which cover 77 issues, thirteen of which were considered blockers. Here are some highlights:

New Feature

  • ZOOKEEPER-2719 Enable creation of TTL nodes, which are znode that’s not tied to a session and will get cleaned up automatically once expired.

Security Fixes

  • ZOOKEEPER-2014 Only admin roles should be allowed to reconfigure a cluster
  • ZOOKEEPER-2693 Prevent DOS attack on wchp/wchc four letter words (4lw)

Critical Bug Fixes

  • ZOOKEEPER-2383 Solve startup race in ZooKeeperServer
  • ZOOKEEPER-2172 Cluster crashes when reconfig a new node as a participant
  • ZOOKEEPER-2737 NettyServerCnxFactory leaks connection if exception happens while writing to a channel
  • ZOOKEEPER-2247 Zookeeper service becomes unavailable when leader fails to write transaction log
  • ZOOKEEPER-2080 Fix deadlock in dynamic reconfiguration
  • ZOOKEEPER-2687 Deadlock while shutting down the Leader server

Stability,

Read more

Hardening Apache ZooKeeper Security: SASL Quorum Peer Mutual Authentication and Authorization

Categories: ZooKeeper

Background

Apache ZooKeeper is a core infrastructure component in Apache Hadoop stack and is also widely used by many companies for service discovery, configuration management, and so on. Previously ZooKeeper does not support authentication and authorization of servers that are participating in the leader election and quorum forming process; ZooKeeper assumes that every server that is listed in the ZooKeeper configuration file (zoo.cfg) is authenticated. As a result, a server listed in zoo.cfg can join the ensemble even if it is compromised,

Read more