dubbo icon indicating copy to clipboard operation
dubbo copied to clipboard
verified publisher icon apache

dubbo 2.7.x 注册中心zookeeper使用password鉴权,consumer无需密码也可以获取地址

Open anic opened this issue 3 years ago • 0 comments

Environment

  • Dubbo version: 2.7.10+
  • Operating System version: 所有
  • Java version: 1.8
  • zookeeper version: 3.6.x

Steps to reproduce this issue

  1. zookeeper设置acl:
[zk: localhost:2181(CONNECTED) 0] addauth digest test:test
[zk: localhost:2181(CONNECTED) 1] setAcl / auth:test:test:rwadc
[zk: localhost:2181(CONNECTED) 2] getAcl /
'digest,'test:V28q/NynI4JI3Rk54h0r8O5kMug=
: cdrwa
  1. dubbo的provider.xml设置
    <dubbo:registry
            address="zookeeper://localhost:2181"
            username="test"
            password="test"
    />
  1. 运行provider后,zookeeper生成 /dubbo 节点,并注册服务
  2. 查看zookeeper节点,/dubbo 节点并没有增加acl,注册的服务信息也并没有acl
[zk: localhost:2181(CONNECTED) 7] ls /
[dubbo, zookeeper]
[zk: localhost:2181(CONNECTED) 8] getAcl /dubbo
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 9] getAcl /dubbo/org.apache.dubbo.samples.api.GreetingsService 
'world,'anyone
: cdrwa
  1. 设置consumer.xml,但不设置username和password
    <dubbo:registry address="zookeeper://localhost:2181"/>
  1. 启动consumer,可以获取provider信息并且调用成功

说明zookeeper的password并没有保护到注册信息不被未授权的consumer获取,也无法保护微服务信息不被修改。 对于zookeeper无法通过网络限制,只能通过password保护的场景不够安全。

Pls. provide [GitHub address] to reproduce this issue.

根据分析,是因为CuratorZookeeperClient和 Curator5ZookeeperClient 通过curatorFramework构建客户端时,没有设置aclProvider

           Builder builder = CuratorFrameworkFactory.builder().connectString(url.getBackupAddress()).retryPolicy(new RetryNTimes(1, 1000)).connectionTimeoutMs(timeout).sessionTimeoutMs(sessionExpireMs);
            String authority = url.getAuthority();
            if (authority != null && authority.length() > 0) {
                builder = builder.authorization("digest", authority.getBytes());
            }

            this.client = builder.build();
            this.client.getConnectionStateListenable().addListener(new CuratorZookeeperClient.CuratorConnectionStateListener(url));
            this.client.start();

应该在builder.authorization(...)后,增加如下代码

builder.aclProvider(new ACLProvider() {
                @Override
                public List<ACL> getDefaultAcl() {
                    return ZooDefs.Ids.CREATOR_ALL_ACL;
                }
                
                @Override
                public List<ACL> getAclForPath(String path) {
                    return ZooDefs.Ids.CREATOR_ALL_ACL;
                }
            });

如果如果不设置AclProvider,会使用Curator默认的AclProvider,导致存在不安全的情况

public class DefaultACLProvider implements ACLProvider {
    public DefaultACLProvider() {
    }

    public List<ACL> getDefaultAcl() {
        return Ids.OPEN_ACL_UNSAFE;
    }

    public List<ACL> getAclForPath(String path) {
        return Ids.OPEN_ACL_UNSAFE;
    }
}

Just put your stack trace here!

anic avatar Jul 23 '22 11:07 anic