From dev-return-72041-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org  Thu Aug  2 12:19:45 2018
Return-Path: <dev-return-72041-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id D1C8B180629
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  2 Aug 2018 12:19:44 +0200 (CEST)
Received: (qmail 29055 invoked by uid 500); 2 Aug 2018 10:19:43 -0000
Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:dev@zookeeper.apache.org>
List-Id: <dev.zookeeper.apache.org>
Reply-To: dev@zookeeper.apache.org
Delivered-To: mailing list dev@zookeeper.apache.org
Received: (qmail 29034 invoked by uid 99); 2 Aug 2018 10:19:43 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2018 10:19:43 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 296BEDFC43; Thu,  2 Aug 2018 10:19:43 +0000 (UTC)
From: nkalmar <git@git.apache.org>
To: dev@zookeeper.apache.org
Reply-To: dev@zookeeper.apache.org
References: <git-pr--zookeeper@git.apache.org>
In-Reply-To: <git-pr--zookeeper@git.apache.org>
Subject: [GitHub] zookeeper pull request #: 
Content-Type: text/plain
Message-Id: <20180802101943.296BEDFC43@git1-us-west.apache.org>
Date: Thu,  2 Aug 2018 10:19:43 +0000 (UTC)

Github user nkalmar commented on the pull request:

    https://github.com/apache/zookeeper/commit/a2623a625a4778720f7d5482d0a66e9b37ae556f#commitcomment-29934308
  
    Both JMX and Jetty can be secured. The problem here is, as of my understanding, is that 4ltw command uses the client port. You can secure JMX port, introduce authentication, SSL etc. But you cannot secure the client port like that. So leaving the port open, and the ability to call functions without any authentication or authorization via telnet is not the best practice.
    
    By the way, JMX port should only be open on the local machine, as it is the default setting on ZooKeeper. But if you wan't to open it, it should be secured with firewall/gateway settings, IP restrictions, SASL or whatever.
    
    Jetty can be also configured for SSL.
    



---