Return-Path: X-Original-To: apmail-zookeeper-user-archive@www.apache.org Delivered-To: apmail-zookeeper-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3A24010D54 for ; Wed, 28 May 2014 07:21:27 +0000 (UTC) Received: (qmail 15720 invoked by uid 500); 28 May 2014 07:21:26 -0000 Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org Received: (qmail 15670 invoked by uid 500); 28 May 2014 07:21:26 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 15662 invoked by uid 99); 28 May 2014 07:21:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 May 2014 07:21:26 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of olivier.mallassi@gmail.com designates 209.85.160.174 as permitted sender) Received: from [209.85.160.174] (HELO mail-yk0-f174.google.com) (209.85.160.174) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 May 2014 07:21:21 +0000 Received: by mail-yk0-f174.google.com with SMTP id 9so8032767ykp.19 for ; Wed, 28 May 2014 00:21:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wznY4hzkoOoKYkG86KGbSpe/U6f8qVZrfmCmouBEaDI=; b=J8BiGs//J4/1+s+x4KE1+IsFgVquvqIKuYPeU07EViM63C1/x+D2bOEo/DyA0Llv/b dNPNVKRrPDI7kSiN1TgDKBi2CFGU0/z1tzUzlC1sU5qVPcbGGdIPfChhkD1Ki5Z9Vopl OYgYPXDOL1qL9SrFSAWUAGTrj8Sjk0I/TGYJIx6b3XSBNRjpmCrz/6wlyxcmaVO/iFSW qbL4usddkzQ+HTEerFN4KraKzPtGWYX1cq+pn/wJ1FChX9FLMdSnCMPNS/vm1q1l/yxh faqieYnA/x7dVcJd0pt4GQhbQMFTAEy/AAbcTAbgzzLa731HE/536xtOMb6nzf3cKB+e ioJA== MIME-Version: 1.0 X-Received: by 10.236.52.74 with SMTP id d50mr54783044yhc.44.1401261660329; Wed, 28 May 2014 00:21:00 -0700 (PDT) Received: by 10.170.127.136 with HTTP; Wed, 28 May 2014 00:21:00 -0700 (PDT) Date: Wed, 28 May 2014 09:21:00 +0200 Message-ID: Subject: Zookeeper, security and zkCli From: Olivier Mallassi To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary=bcaec508f516805bdc04fa70a78c X-Virus-Checked: Checked by ClamAV on apache.org --bcaec508f516805bdc04fa70a78c Content-Type: text/plain; charset=UTF-8 hi all I am facing a "security issue" with Zookeeper (not from the impl but from the "design" standpoint) we will use ZK as a service discovery registry (pure common usage...) but we would like that some znodes do not be updated without auhtentication. we tested ACL and it works fine but the "limitations" that I see are (1) pwd transported in clear and (2) you need to manage technical users (so pwd storage, encryptions, etc etc..) So we prefer not using ACL and keep anonymous access on all nodes. But, we are facing "issues" with zkCli because any machine having zkcli can connect to the Zookeeper ensemble and modify structure / values. To be honnest, I would prefer a solution based on the fact we have a white list of IPs allowed to access ZK, we control the ssh keys to connect to the machines etc...Can we do that? more generally, do you have experience to share with me? how would you handle that? any suggestions would be welcomed. Regards. PS : we are using curator so maybe the ACLProvider could help (to access an LDAP or...) --bcaec508f516805bdc04fa70a78c--