zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Han <h...@cloudera.com>
Subject Re: How to prevent others from accessing our zookeeper service?
Date Mon, 21 Aug 2017 21:47:48 GMT
You can build an external solution to do the access control with client
connections, for example put a proxy like HAProxy in front of ZK ensemble
and apply iptable rules that only allows specific connections to pass
through. ZK does not have intrinsic support for such control and this is a
by design because it was designed to operate in a trusted environment.
Though this may change if more and more users are interested in such a
feature. So far ZOOKEEPER-1634 etc are not getting much traction.

On Mon, Aug 21, 2017 at 2:06 PM, Abraham Fine <afine@apache.org> wrote:

> My understanding is that there is no current way to keep anonymous users
> from connecting at all.
>
> There have been numerous proposals to use SASL to solve this problem and
> there is an open PR by Michael Han
> (https://github.com/apache/zookeeper/pull/118), but nothing of the sort
> has been committed yet.
>
> Thanks,
> Abe
>
> On Mon, Aug 21, 2017, at 01:34, baidu wrote:
> > Hi,
> >
> > I’ve read documents about zookeeper authentication and acl. To my
> > knowledge, this mechanism can only control the access of specified
> > znodes. To prevent others from accessing our zookeeper service, we need
> > set acl for all the znodes.
> >
> > Is there any other way to do this?
> >
> >
> > Best wishes,
> > Dan
>



-- 
Cheers
Michael.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message