zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Langille <...@langille.org>
Subject Re: ACL - restricting connections by IP address
Date Thu, 08 Dec 2016 18:24:18 GMT
Thanks Michael.  That URL is what I was reading this morning and, combined with my tests
seemed to confirm my understanding. 

Cheers.

-- 
Dan Langille - BSDCan / PGCon
dan@langille.org


> On Dec 8, 2016, at 1:20 PM, Michael Han <hanm@cloudera.com> wrote:
> 
> Correct - if the purpose is to restrict connection requests from known ips
> then using iptables / firewall.
> A side note is ZK does have a built in IP scheme that will grant permission
> on znode based on IP[1], but in that case the ensemble is still open to
> connection requests from the world.
> [1]
> https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_BuiltinACLSchemes
> 
> On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <dan@langille.org> wrote:
> 
>> Is my conclusion correct?
>> 
>> We cannot tell zookeeper to only accept connections from a given IP range.
>> Rather, we must restrict access to znodes within zookeeper.  Each znode has
>> its own ACL.
>> 
>> There is no inheriting from parent, no way to globally restrict access.
>> It must be done on a znode by znode basis.
>> 
>> There's no configuration file where we can tell zookeeper to only accept
>> connections from 10.0.0.0/16, for example.  If we want to do that on a
>> global basis, a firewall rule is a better solution than setting it on every
>> node.
>> 
>> --
>> Dan Langille - BSDCan / PGCon
>> dan@langille.org
>> 
>> 
>> 
> 
> 
> -- 
> Cheers
> Michael.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message