zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Han <h...@cloudera.com>
Subject Re: ACL - restricting connections by IP address
Date Thu, 08 Dec 2016 18:20:11 GMT
Correct - if the purpose is to restrict connection requests from known ips
then using iptables / firewall.
A side note is ZK does have a built in IP scheme that will grant permission
on znode based on IP[1], but in that case the ensemble is still open to
connection requests from the world.

On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <dan@langille.org> wrote:

> Is my conclusion correct?
> We cannot tell zookeeper to only accept connections from a given IP range.
> Rather, we must restrict access to znodes within zookeeper.  Each znode has
> its own ACL.
> There is no inheriting from parent, no way to globally restrict access.
> It must be done on a znode by znode basis.
> There's no configuration file where we can tell zookeeper to only accept
> connections from, for example.  If we want to do that on a
> global basis, a firewall rule is a better solution than setting it on every
> node.
> --
> Dan Langille - BSDCan / PGCon
> dan@langille.org


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message