zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Mallassi <olivier.malla...@gmail.com>
Subject Re: Zookeeper, security and zkCli
Date Wed, 28 May 2014 18:21:44 GMT
Yep that s what I saw
I think that will do the job

Thx

On Wednesday, May 28, 2014, Michi Mutsuzaki <michi@cs.stanford.edu> wrote:

> Hi Olivier,
>
> There is an "ip" authentication scheme.
>
>
> https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes
>
> On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi
> <olivier.mallassi@gmail.com <javascript:;>> wrote:
> > hi all
> >
> > I am facing a "security issue" with Zookeeper (not from the impl but from
> > the "design" standpoint)
> >
> > we will use ZK as a service discovery registry (pure common usage...) but
> > we would like that some znodes do not be updated without auhtentication.
> >
> > we tested ACL and it works fine but the "limitations" that I see are (1)
> > pwd transported in clear and (2) you need to manage technical users (so
> pwd
> > storage, encryptions, etc etc..)
> >
> > So we prefer not using ACL and keep anonymous access on all nodes.
> >
> > But, we are facing "issues" with zkCli because any machine having zkcli
> can
> > connect to the Zookeeper ensemble and modify structure / values.
> >
> > To be honnest, I would prefer a solution based on the fact we have a
> white
> > list of IPs allowed to access ZK, we control the ssh keys to connect to
> the
> > machines etc...Can we do that?
> >
> > more generally, do you have experience to share with me? how would you
> > handle that? any suggestions would be welcomed.
> >
> > Regards.
> > PS : we are using curator so maybe the ACLProvider could help (to access
> an
> > LDAP or...)
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message