zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kashtan <djkash...@gmail.com>
Subject Zookeeper server with SASL allows any old zkCli instance to connect
Date Tue, 25 Aug 2015 21:37:50 GMT
I am using SASL with Digest-MD5 and I have the flag
"-Dzookeeper.allowSaslFailedClients=false" set so that your connection is
dropped from the Zookeeper Server if your SASL authentication fails. This
is great! This only works for the Zookeeper clients created in java code
though.

If I do a zkCli.sh -server 127.0.0.1:2181 then I can connect to my
Zookeeper server with no issues. This is unexpected behavior to me. It even
says in the output from zkCli.sh, "Will not attempt to authenticate using
SASL." How does this still work? I configured the Zookeeper server to drop
those connection attempts.

After much searching I turned up this link
<https://groups.google.com/a/cloudera.org/forum/#!topic/cdh-user/Hxqv7b2957w>,
but it is just some forum post for CDH. Is this true? The thought of
setting ACLs on all my znodes is daunting and verbose. Please let me know
if setting ACL nodes using SASL is my best and/or only option for securing
zkCli.sh and my Zookeeper server in general.
-- 
-Daniel

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message