zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michi Mutsuzaki <mutsuz...@gmail.com>
Subject Re: Can we restrict any client connections to Zookeeper ensemble
Date Fri, 05 Feb 2016 19:26:38 GMT
There is an ip based authentication provider:
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java

I couldn't find much documentation on it though...

On Fri, Feb 5, 2016 at 11:22 AM, Adam Milne-Smith
<adam@milne-smith.co.uk> wrote:
> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper
host in transparent tcp mode in front of the ZooKeeper client port.
>
> The choice of transparent mode was so that I can still map session activity to source
IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that
HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct
outgoing packets from ZooKeeper back through the HAProxy.
>
> This allows for blacklisting ips and protecting against DOS attacks by rate limiting
new connections by IP and by block connections from bad actors that are too write intensive.
>
> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>
> Thanks,
> Adam
>
>
> On 5 Feb 2016 19:07, "Talluri, Chandra" <Chandra.Talluri@FMR.com.INVALID> wrote:
>>
>> Is it possible to restrict any client connections to Zookeeper ensemble based on
IP address. Not just setting Acl's on znode?
>>
>> (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or
any client only from certain ip addresses
>>
>> -Thanks in advance

Mime
View raw message