zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Talluri, Chandra" <Chandra.Tall...@FMR.com.INVALID>
Subject RE: Can we restrict any client connections to Zookeeper ensemble
Date Fri, 05 Feb 2016 20:52:24 GMT

This is to set the IP based ACL for znodes not for the entire server and the information for
it is at https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_ZooKeeperAccessControl

What I need is server wide restring clients to connect

-----Original Message-----
From: Michi Mutsuzaki [mailto:mutsuzaki@gmail.com] 
Sent: Friday, February 05, 2016 2:27 PM
To: user@zookeeper.apache.org
Subject: Re: Can we restrict any client connections to Zookeeper ensemble

There is an ip based authentication provider:
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java

I couldn't find much documentation on it though...

On Fri, Feb 5, 2016 at 11:22 AM, Adam Milne-Smith <adam@milne-smith.co.uk> wrote:
> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper
host in transparent tcp mode in front of the ZooKeeper client port.
>
> The choice of transparent mode was so that I can still map session activity to source
IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that
HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct
outgoing packets from ZooKeeper back through the HAProxy.
>
> This allows for blacklisting ips and protecting against DOS attacks by rate limiting
new connections by IP and by block connections from bad actors that are too write intensive.
>
> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>
> Thanks,
> Adam
>
>
> On 5 Feb 2016 19:07, "Talluri, Chandra" <Chandra.Talluri@FMR.com.INVALID> wrote:
>>
>> Is it possible to restrict any client connections to Zookeeper ensemble based on
IP address. Not just setting Acl's on znode?
>>
>> (i.e) I should be able to connect to zookeeper ensemble either using 
>> zkCli.sh or any client only from certain ip addresses
>>
>> -Thanks in advance
Mime
View raw message