zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Solr and Zookeeper Security
Date Thu, 03 Mar 2016 15:09:06 GMT
MG>comprehensive zookeeper client-server authentication described at :
MG>sasl happens at connection time so addauth would not be necessary..on the other hand
addAcl is supported

> Date: Thu, 3 Mar 2016 20:13:39 +0530
> Subject: Fwd: Solr and Zookeeper Security
> From: edotservice@gmail.com
> To: user@zookeeper.apache.org
> I am sorry to ask this question. But really i need some light on bellow
> matter.
> I want to run solr in cloud mode . So obliviously I am going to use
> zookeeper.
> My quorum are distributed on 3 server with static ip , lets say
> server.1=xx.xx.x1:2888:3888
> server.2=xx.xx.x2:2889:3889
> server.3=xx.xx.x3:2890:3890
> With solr pointing to this ensemble. Now my concern is how should I protect
> it to other unauthorized zkClient to connect above quorum. One way could be
> don't open the port for the client but then how will solr connect ?
> other problem is how to safeguard  quorum interconnection.  I observed a
> weird behavior  that I can point a fourth zookeeper from my local to the
> above quorum (i have to know only ip and port which is not tough to find)
> and it will be absorbed as a part of quorum and then I can use my local
> zkClient to connect my local zoookeeper and have access to quorum which we
> don't want. I want to define quorum in a way that foreign zookeeper server
> is not able to
> become part already configured quorum.
> Again one more strange behavior about znode of zookeeper, User A can set
> ACL of a znode and  user B which can connect to zookeeper but can't see the
> content as it will throw ACL error that is fine but strange thing is user B
> can still  delete the znode of A which he cant see. :(
> I think a hell lot of things is not clear about zoookeeper security.
> Please can you help me ? And don't forget my thanks in advance.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message