Return-Path: X-Original-To: apmail-zookeeper-user-archive@www.apache.org Delivered-To: apmail-zookeeper-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6E71311DD5 for ; Fri, 19 Sep 2014 06:35:34 +0000 (UTC) Received: (qmail 96509 invoked by uid 500); 19 Sep 2014 06:35:33 -0000 Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org Received: (qmail 96464 invoked by uid 500); 19 Sep 2014 06:35:33 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 96447 invoked by uid 99); 19 Sep 2014 06:35:33 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Sep 2014 06:35:33 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of juergen.wagner@devoteam.com designates 209.85.192.51 as permitted sender) Received: from [209.85.192.51] (HELO mail-qg0-f51.google.com) (209.85.192.51) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Sep 2014 06:35:05 +0000 Received: by mail-qg0-f51.google.com with SMTP id e89so2257510qgf.38 for ; Thu, 18 Sep 2014 23:35:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:disposition-notification-to:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type; bh=ufaKGHavyJV9jLLboEXpnqvzxb6yaxEHfZ6Hc4XtACg=; b=LztzXSU9c2pSiciDDf34Ei0RQEPcmPqkOzAmOdd9pIo0fnmNEvWaypgIe8CPS5qaQ0 t3dFS4kJ3h6Lq8r2derJSpEFfXm6InF89lbZu2WwBcGVtLzG3Uh7el4EQgrgWGc3Brcb bUZ6oZfUNR73aVtkGNk32+HJA42joE1ILQr1H++LTpAWQSU+gkAyfVNrDS0pRKbdmGal Y58VkTJumA/hnV1cc9DiHIoJqLVud4ivutbkAAy8Ts2OZLAcGQohLb7FqLO5uyrRegWT 3bykZjjvBduQJkiRzYG3rVDSokgRqPU7DIZGiB5YyW3O0epk3KLI1wjiwu3IFzo+Z6dO 4A4w== X-Gm-Message-State: ALoCoQkaWqgfcfRYolPtiK+OeF/MPbWT7gJUMFMteXhdmxCK4BfdtcSwuLvIwROhhhLfE+Goufi5 X-Received: by 10.140.42.77 with SMTP id b71mr5666903qga.52.1411108502550; Thu, 18 Sep 2014 23:35:02 -0700 (PDT) Received: from [10.0.0.32] (ntelligence.de. [217.8.60.230]) by mx.google.com with ESMTPSA id s69sm843216qge.15.2014.09.18.23.35.00 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Sep 2014 23:35:01 -0700 (PDT) Message-ID: <541BCE98.4090808@devoteam.com> Date: Fri, 19 Sep 2014 08:35:04 +0200 From: =?UTF-8?B?IkrDvHJnZW4gV2FnbmVyIChEVlQpIg==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: user@zookeeper.apache.org Subject: Re: authorize and authenticate zookeeper nodes References: <1411009659613-7580303.post@n2.nabble.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/mixed; boundary="------------000100040809050704060301" X-Virus-Checked: Checked by ClamAV on apache.org --------------000100040809050704060301 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sucheta, depending on what you have in mind, you could use the ACL mechanism of Zookeeper right away, or augment it by additional measures outside Zookeeper. Unfortunately, Zookeeper still does not support client authentication on the connection level, not does it have SSL for the ensemble-internal connections. I do hope it will soon be on the radar of the Zookeeper maintainers, so I can drop some other measures employed currently. For some cases, you may want to generally restrict the access to Zookeeper to certain IP addresses and then apply per-user ACLs for individual znodes. In that case, I suggest you use a wrapper around Zookeeper or a decent firewall to provide basic IP-address filtering, in combination with the described ACL scheme. IP filtering (unless there really is a wide variety of permitted addresses across all znodes) inside Zookeeper does not seem like a good idea to me. Otherwise, your Zookeeper won't be safe against DOS attacks or overloads from too many requests (that may be denied, but still keep Zookeeper busy). Also, the communication between Zookeeper services is not encrypted. Therefore, the vanilla Zookeeper setup is not at all suited for any open network. Consequently, you would have that firewall in front of the subnet with Zookeepers, anyway. Why not employ a basic filtering there already? Cheers, --Jürgen --------------000100040809050704060301--