zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Han <h...@cloudera.com>
Subject Re: ACL - restricting connections by IP address
Date Thu, 08 Dec 2016 18:20:11 GMT
Correct - if the purpose is to restrict connection requests from known ips
then using iptables / firewall.
A side note is ZK does have a built in IP scheme that will grant permission
on znode based on IP[1], but in that case the ensemble is still open to
connection requests from the world.
[1]
https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_BuiltinACLSchemes

On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <dan@langille.org> wrote:

> Is my conclusion correct?
>
> We cannot tell zookeeper to only accept connections from a given IP range.
> Rather, we must restrict access to znodes within zookeeper.  Each znode has
> its own ACL.
>
> There is no inheriting from parent, no way to globally restrict access.
> It must be done on a znode by znode basis.
>
> There's no configuration file where we can tell zookeeper to only accept
> connections from 10.0.0.0/16, for example.  If we want to do that on a
> global basis, a firewall rule is a better solution than setting it on every
> node.
>
> --
> Dan Langille - BSDCan / PGCon
> dan@langille.org
>
>
>


-- 
Cheers
Michael.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message