zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Junqueira <...@yahoo-inc.com>
Subject Re: Authentication mechanism
Date Thu, 22 Nov 2012 21:23:02 GMT
Hi Jaewoong,

I'm not sure if you have had a chance to look at the documentation:

	http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl

My understanding is that a client authenticates when it connects.

-Flavio

On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:

> Hi,
> 
> I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario
first.
> 
> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider
which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider
option.
> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither
this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo
) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.
> 
> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3
client library.
> 
> Here come some questions.
> 
> 1. Is the above scenario true?
> 2. Isn't there any access control on "Connect" permission level regardless of znode-level
ACLs? For example, can we deny client connection before its access to any znode when it comes
without a valid authInfo?
> 
> Regards,
> Jaewoong


Mime
View raw message