How to prevent others from accessing our zookeeper service?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to prevent others from accessing our zookeeper service?

baidu
Hi,

I’ve read documents about zookeeper authentication and acl. To my knowledge, this mechanism can only control the access of specified znodes. To prevent others from accessing our zookeeper service, we need set acl for all the znodes.

Is there any other way to do this?


Best wishes,
Dan
Reply | Threaded
Open this post in threaded view
|

Re: How to prevent others from accessing our zookeeper service?

Abraham Fine
My understanding is that there is no current way to keep anonymous users
from connecting at all.

There have been numerous proposals to use SASL to solve this problem and
there is an open PR by Michael Han
(https://github.com/apache/zookeeper/pull/118), but nothing of the sort
has been committed yet.

Thanks,
Abe

On Mon, Aug 21, 2017, at 01:34, baidu wrote:

> Hi,
>
> I’ve read documents about zookeeper authentication and acl. To my
> knowledge, this mechanism can only control the access of specified
> znodes. To prevent others from accessing our zookeeper service, we need
> set acl for all the znodes.
>
> Is there any other way to do this?
>
>
> Best wishes,
> Dan
Reply | Threaded
Open this post in threaded view
|

Re: How to prevent others from accessing our zookeeper service?

hanm
You can build an external solution to do the access control with client
connections, for example put a proxy like HAProxy in front of ZK ensemble
and apply iptable rules that only allows specific connections to pass
through. ZK does not have intrinsic support for such control and this is a
by design because it was designed to operate in a trusted environment.
Though this may change if more and more users are interested in such a
feature. So far ZOOKEEPER-1634 etc are not getting much traction.

On Mon, Aug 21, 2017 at 2:06 PM, Abraham Fine <[hidden email]> wrote:

> My understanding is that there is no current way to keep anonymous users
> from connecting at all.
>
> There have been numerous proposals to use SASL to solve this problem and
> there is an open PR by Michael Han
> (https://github.com/apache/zookeeper/pull/118), but nothing of the sort
> has been committed yet.
>
> Thanks,
> Abe
>
> On Mon, Aug 21, 2017, at 01:34, baidu wrote:
> > Hi,
> >
> > I’ve read documents about zookeeper authentication and acl. To my
> > knowledge, this mechanism can only control the access of specified
> > znodes. To prevent others from accessing our zookeeper service, we need
> > set acl for all the znodes.
> >
> > Is there any other way to do this?
> >
> >
> > Best wishes,
> > Dan
>



--
Cheers
Michael.