My understanding of how digest scheme based ACL works in ZooKeeper is as follows:
1. When creating a digest based ACL, one would add to the ACL "username:Base64(SHA1(username:password)):permissions".
2. When accessing a zNode, a client needs to send username:password in clear text.
Here are a few questions:
a) Is the above understanding correct? My testing says yes, but I still want to confirm with the community.
b) The description of digest based ACL in ZooKeeper Programmer's Guide [1] seems to indicate both MD5 and SHA1 are used, which is a bit confusing and probably incorrect. Should this description be updated ?
c) The document [1] and the code [2] are inconsistent in terms of how a digest is generated. The document (and comments in the code) say that a digest is in the form of base64(SHA1(password)), while the code generates it as base64(SHA1(username:password)). The code indeed splits the username:password, but it still uses the whole string to generate the digest. Is it intended to use SHA1(username:password) or a bug?
d) A good side effect of SHA1(username:password) is that "username:" serves as a salt to the hash, resulting in different hashes for a same password used by different users. However, a salt is usually randomly generated and different from a username. Should we consider adding a random salt when hashing a password?
e) Since ZooKeeper does not currently support SSL/TLS (unless I miss something), is there any concern to send username and password in clear text? Should an alternative with better security be considered?
Thanks,
Tao
[1] http://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
"digest uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text. When used in the ACL the expression will be the username:base64 encoded SHA1 password digest."
[2] generateDigest(String idPassword) in DigestAuthenticationProvider.java
static public String generateDigest(String idPassword)
throws NoSuchAlgorithmException {
String parts[] = idPassword.split(":", 2);
byte digest[] = MessageDigest.getInstance("SHA1").digest(
idPassword.getBytes());
return parts[0] + ":" + base64Encode(digest);
1. When creating a digest based ACL, one would add to the ACL "username:Base64(SHA1(username:password)):permissions".
2. When accessing a zNode, a client needs to send username:password in clear text.
Here are a few questions:
a) Is the above understanding correct? My testing says yes, but I still want to confirm with the community.
b) The description of digest based ACL in ZooKeeper Programmer's Guide [1] seems to indicate both MD5 and SHA1 are used, which is a bit confusing and probably incorrect. Should this description be updated ?
c) The document [1] and the code [2] are inconsistent in terms of how a digest is generated. The document (and comments in the code) say that a digest is in the form of base64(SHA1(password)), while the code generates it as base64(SHA1(username:password)). The code indeed splits the username:password, but it still uses the whole string to generate the digest. Is it intended to use SHA1(username:password) or a bug?
d) A good side effect of SHA1(username:password) is that "username:" serves as a salt to the hash, resulting in different hashes for a same password used by different users. However, a salt is usually randomly generated and different from a username. Should we consider adding a random salt when hashing a password?
e) Since ZooKeeper does not currently support SSL/TLS (unless I miss something), is there any concern to send username and password in clear text? Should an alternative with better security be considered?
Thanks,
Tao
[1] http://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
"digest uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text. When used in the ACL the expression will be the username:base64 encoded SHA1 password digest."
[2] generateDigest(String idPassword) in DigestAuthenticationProvider.java
static public String generateDigest(String idPassword)
throws NoSuchAlgorithmException {
String parts[] = idPassword.split(":", 2);
byte digest[] = MessageDigest.getInstance("SHA1").digest(
idPassword.getBytes());
return parts[0] + ":" + base64Encode(digest);