You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Dan Langille <da...@langille.org> on 2016/12/08 16:17:34 UTC
ACL - restricting connections by IP address
Is my conclusion correct?
We cannot tell zookeeper to only accept connections from a given IP range. Rather, we must restrict access to znodes within zookeeper. Each znode has its own ACL.
There is no inheriting from parent, no way to globally restrict access. It must be done on a znode by znode basis.
There's no configuration file where we can tell zookeeper to only accept connections from 10.0.0.0/16, for example. If we want to do that on a global basis, a firewall rule is a better solution than setting it on every node.
--
Dan Langille - BSDCan / PGCon
dan@langille.org
Re: ACL - restricting connections by IP address
Posted by Dan Langille <da...@langille.org>.
Thanks Michael. That URL is what I was reading this morning and, combined with my tests
seemed to confirm my understanding.
Cheers.
--
Dan Langille - BSDCan / PGCon
dan@langille.org
> On Dec 8, 2016, at 1:20 PM, Michael Han <ha...@cloudera.com> wrote:
>
> Correct - if the purpose is to restrict connection requests from known ips
> then using iptables / firewall.
> A side note is ZK does have a built in IP scheme that will grant permission
> on znode based on IP[1], but in that case the ensemble is still open to
> connection requests from the world.
> [1]
> https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_BuiltinACLSchemes
>
> On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <da...@langille.org> wrote:
>
>> Is my conclusion correct?
>>
>> We cannot tell zookeeper to only accept connections from a given IP range.
>> Rather, we must restrict access to znodes within zookeeper. Each znode has
>> its own ACL.
>>
>> There is no inheriting from parent, no way to globally restrict access.
>> It must be done on a znode by znode basis.
>>
>> There's no configuration file where we can tell zookeeper to only accept
>> connections from 10.0.0.0/16, for example. If we want to do that on a
>> global basis, a firewall rule is a better solution than setting it on every
>> node.
>>
>> --
>> Dan Langille - BSDCan / PGCon
>> dan@langille.org
>>
>>
>>
>
>
> --
> Cheers
> Michael.
Re: ACL - restricting connections by IP address
Posted by Michael Han <ha...@cloudera.com>.
Correct - if the purpose is to restrict connection requests from known ips
then using iptables / firewall.
A side note is ZK does have a built in IP scheme that will grant permission
on znode based on IP[1], but in that case the ensemble is still open to
connection requests from the world.
[1]
https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_BuiltinACLSchemes
On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <da...@langille.org> wrote:
> Is my conclusion correct?
>
> We cannot tell zookeeper to only accept connections from a given IP range.
> Rather, we must restrict access to znodes within zookeeper. Each znode has
> its own ACL.
>
> There is no inheriting from parent, no way to globally restrict access.
> It must be done on a znode by znode basis.
>
> There's no configuration file where we can tell zookeeper to only accept
> connections from 10.0.0.0/16, for example. If we want to do that on a
> global basis, a firewall rule is a better solution than setting it on every
> node.
>
> --
> Dan Langille - BSDCan / PGCon
> dan@langille.org
>
>
>
--
Cheers
Michael.