zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Mallassi <olivier.malla...@gmail.com>
Subject Zookeeper, security and zkCli
Date Wed, 28 May 2014 07:21:00 GMT
hi all

I am facing a "security issue" with Zookeeper (not from the impl but from
the "design" standpoint)

we will use ZK as a service discovery registry (pure common usage...) but
we would like that some znodes do not be updated without auhtentication.

we tested ACL and it works fine but the "limitations" that I see are (1)
pwd transported in clear and (2) you need to manage technical users (so pwd
storage, encryptions, etc etc..)

So we prefer not using ACL and keep anonymous access on all nodes.

But, we are facing "issues" with zkCli because any machine having zkcli can
connect to the Zookeeper ensemble and modify structure / values.

To be honnest, I would prefer a solution based on the fact we have a white
list of IPs allowed to access ZK, we control the ssh keys to connect to the
machines etc...Can we do that?

more generally, do you have experience to share with me? how would you
handle that? any suggestions would be welcomed.

PS : we are using curator so maybe the ACLProvider could help (to access an
LDAP or...)

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message