zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jaewoong Choi ...@yahoo-inc.com>
Subject Authentication mechanism
Date Wed, 21 Nov 2012 19:46:05 GMT
Hi,

I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario
first.

1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider
which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider
option.
2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither
this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo
) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.

This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client
library.

Here come some questions.

1. Is the above scenario true?
2. Isn't there any access control on "Connect" permission level regardless of znode-level
ACLs? For example, can we deny client connection before its access to any znode when it comes
without a valid authInfo?

Regards,
Jaewoong
Mime
View raw message