zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jürgen Wagner (DVT)" <juergen.wag...@devoteam.com>
Subject Re: authorize and authenticate zookeeper nodes
Date Fri, 19 Sep 2014 06:35:04 GMT
  depending on what you have in mind, you could use the ACL mechanism of
Zookeeper right away, or augment it by additional measures outside

Unfortunately, Zookeeper still does not support client authentication on
the connection level, not does it have SSL for the ensemble-internal
connections. I do hope it will soon be on the radar of the Zookeeper
maintainers, so I can drop some other measures employed currently.

For some cases, you may want to generally restrict the access to
Zookeeper to certain IP addresses and then apply per-user ACLs for
individual znodes. In that case, I suggest you use a wrapper around
Zookeeper or a decent firewall to provide basic IP-address filtering, in
combination with the described ACL scheme. IP filtering (unless there
really is a wide variety of permitted addresses across all znodes)
inside Zookeeper does not seem like a good idea to me.

Otherwise, your Zookeeper won't be safe against DOS attacks or overloads
from too many requests (that may be denied, but still keep Zookeeper busy).

Also, the communication between Zookeeper services is not encrypted.
Therefore, the vanilla Zookeeper setup is not at all suited for any open
network. Consequently, you would have that firewall in front of the
subnet with Zookeepers, anyway. Why not employ a basic filtering there


  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message