You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by "Talluri, Chandra" <Ch...@FMR.com.INVALID> on 2016/02/05 20:07:24 UTC
Can we restrict any client connections to Zookeeper ensemble
Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
(i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or any client only from certain ip addresses
-Thanks in advance
RE: Can we restrict any client connections to Zookeeper ensemble
Posted by "Talluri, Chandra" <Ch...@FMR.com.INVALID>.
This is to set the IP based ACL for znodes not for the entire server and the information for it is at https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
What I need is server wide restring clients to connect
-----Original Message-----
From: Michi Mutsuzaki [mailto:mutsuzaki@gmail.com]
Sent: Friday, February 05, 2016 2:27 PM
To: user@zookeeper.apache.org
Subject: Re: Can we restrict any client connections to Zookeeper ensemble
There is an ip based authentication provider:
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java
I couldn't find much documentation on it though...
On Fri, Feb 5, 2016 at 11:22 AM, Adam Milne-Smith <ad...@milne-smith.co.uk> wrote:
> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
>
> The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
>
> This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
>
> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>
> Thanks,
> Adam
>
>
> On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>>
>> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>>
>> (i.e) I should be able to connect to zookeeper ensemble either using
>> zkCli.sh or any client only from certain ip addresses
>>
>> -Thanks in advance
Re: Can we restrict any client connections to Zookeeper ensemble
Posted by Michi Mutsuzaki <mu...@gmail.com>.
There is an ip based authentication provider:
https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java
I couldn't find much documentation on it though...
On Fri, Feb 5, 2016 at 11:22 AM, Adam Milne-Smith
<ad...@milne-smith.co.uk> wrote:
> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
>
> The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
>
> This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
>
> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>
> Thanks,
> Adam
>
>
> On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>>
>> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>>
>> (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or any client only from certain ip addresses
>>
>> -Thanks in advance
RE: Can we restrict any client connections to Zookeeper ensemble
Posted by Adam Milne-Smith <ad...@milne-smith.co.uk>.
In case you want to use HAProxy to manage things, here are the iptables and other settings I used as a starting point for running in transparent mode:
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
If running the HAProxy on the same box as the ZooKeeper you'll have to change the iptable 'PREROUTING' statement to 'OUTPUT' and limit it to only the tcp port that the zookeeper is binding to for the client port.
Hope this helps!
Thanks,
Adam
On 8 Feb 2016 13:42, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>
> Sorry, This may not be the right forum to discuss about iptables. Can you please point out some direction where can I get more information?
>
> -----Original Message-----
> From: Patrick Hunt [mailto:phunt@apache.org]
> Sent: Friday, February 05, 2016 6:12 PM
> To: UserZooKeeper
> Subject: Re: Can we restrict any client connections to Zookeeper ensemble
>
> The intent has always been for users to use iptables or similar to control such access, rather than try to duplicate it in ZK.
>
> Patrick
>
> On Fri, Feb 5, 2016 at 2:56 PM, Alex Yip <al...@gmail.com> wrote:
> > Could you could use iptables directly to blacklist or whitelist some
> > client IPs ?
> >
> > - Alex
> >
> >
> > On Fri, Feb 5, 2016 at 12:53 PM, Talluri, Chandra
> > <Ch...@fmr.com.invalid> wrote:
> >> Adam
> >> Thanks, that would be very helpful. I was thinking there should be
> >> something in Zookeeper configuration itself
> >>
> >> -Thanks
> >>
> >> -----Original Message-----
> >> From: Adam Milne-Smith [mailto:adam@milne-smith.co.uk]
> >> Sent: Friday, February 05, 2016 2:22 PM
> >> To: user@zookeeper.apache.org
> >> Subject: Re: Can we restrict any client connections to Zookeeper
> >> ensemble
> >>
> >> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
> >>
> >> The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
> >>
> >> This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
> >>
> >> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
> >>
> >> Thanks,
> >> Adam
> >>
> >>
> >> On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
> >>>
> >>> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
> >>>
> >>> (i.e) I should be able to connect to zookeeper ensemble either using
> >>> zkCli.sh or any client only from certain ip addresses
> >>>
> >>> -Thanks in advance
RE: Can we restrict any client connections to Zookeeper ensemble
Posted by "Talluri, Chandra" <Ch...@FMR.com.INVALID>.
Sorry, This may not be the right forum to discuss about iptables. Can you please point out some direction where can I get more information?
-----Original Message-----
From: Patrick Hunt [mailto:phunt@apache.org]
Sent: Friday, February 05, 2016 6:12 PM
To: UserZooKeeper
Subject: Re: Can we restrict any client connections to Zookeeper ensemble
The intent has always been for users to use iptables or similar to control such access, rather than try to duplicate it in ZK.
Patrick
On Fri, Feb 5, 2016 at 2:56 PM, Alex Yip <al...@gmail.com> wrote:
> Could you could use iptables directly to blacklist or whitelist some
> client IPs ?
>
> - Alex
>
>
> On Fri, Feb 5, 2016 at 12:53 PM, Talluri, Chandra
> <Ch...@fmr.com.invalid> wrote:
>> Adam
>> Thanks, that would be very helpful. I was thinking there should be
>> something in Zookeeper configuration itself
>>
>> -Thanks
>>
>> -----Original Message-----
>> From: Adam Milne-Smith [mailto:adam@milne-smith.co.uk]
>> Sent: Friday, February 05, 2016 2:22 PM
>> To: user@zookeeper.apache.org
>> Subject: Re: Can we restrict any client connections to Zookeeper
>> ensemble
>>
>> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
>>
>> The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
>>
>> This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
>>
>> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>>
>> Thanks,
>> Adam
>>
>>
>> On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>>>
>>> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>>>
>>> (i.e) I should be able to connect to zookeeper ensemble either using
>>> zkCli.sh or any client only from certain ip addresses
>>>
>>> -Thanks in advance
Re: Can we restrict any client connections to Zookeeper ensemble
Posted by Patrick Hunt <ph...@apache.org>.
The intent has always been for users to use iptables or similar to
control such access, rather than try to duplicate it in ZK.
Patrick
On Fri, Feb 5, 2016 at 2:56 PM, Alex Yip <al...@gmail.com> wrote:
> Could you could use iptables directly to blacklist or whitelist some
> client IPs ?
>
> - Alex
>
>
> On Fri, Feb 5, 2016 at 12:53 PM, Talluri, Chandra
> <Ch...@fmr.com.invalid> wrote:
>> Adam
>> Thanks, that would be very helpful. I was thinking there should be something in Zookeeper configuration itself
>>
>> -Thanks
>>
>> -----Original Message-----
>> From: Adam Milne-Smith [mailto:adam@milne-smith.co.uk]
>> Sent: Friday, February 05, 2016 2:22 PM
>> To: user@zookeeper.apache.org
>> Subject: Re: Can we restrict any client connections to Zookeeper ensemble
>>
>> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
>>
>> The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
>>
>> This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
>>
>> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>>
>> Thanks,
>> Adam
>>
>>
>> On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>>>
>>> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>>>
>>> (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or any client only from certain ip addresses
>>>
>>> -Thanks in advance
Re: Can we restrict any client connections to Zookeeper ensemble
Posted by Alex Yip <al...@gmail.com>.
Could you could use iptables directly to blacklist or whitelist some
client IPs ?
- Alex
On Fri, Feb 5, 2016 at 12:53 PM, Talluri, Chandra
<Ch...@fmr.com.invalid> wrote:
> Adam
> Thanks, that would be very helpful. I was thinking there should be something in Zookeeper configuration itself
>
> -Thanks
>
> -----Original Message-----
> From: Adam Milne-Smith [mailto:adam@milne-smith.co.uk]
> Sent: Friday, February 05, 2016 2:22 PM
> To: user@zookeeper.apache.org
> Subject: Re: Can we restrict any client connections to Zookeeper ensemble
>
> I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
>
> The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
>
> This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
>
> If this sounds like a useful to anyone I can outline the approach in a bit more detail.
>
> Thanks,
> Adam
>
>
> On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>>
>> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>>
>> (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or any client only from certain ip addresses
>>
>> -Thanks in advance
RE: Can we restrict any client connections to Zookeeper ensemble
Posted by "Talluri, Chandra" <Ch...@FMR.com.INVALID>.
Adam
Thanks, that would be very helpful. I was thinking there should be something in Zookeeper configuration itself
-Thanks
-----Original Message-----
From: Adam Milne-Smith [mailto:adam@milne-smith.co.uk]
Sent: Friday, February 05, 2016 2:22 PM
To: user@zookeeper.apache.org
Subject: Re: Can we restrict any client connections to Zookeeper ensemble
I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
If this sounds like a useful to anyone I can outline the approach in a bit more detail.
Thanks,
Adam
On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>
> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>
> (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or any client only from certain ip addresses
>
> -Thanks in advance
Re: Can we restrict any client connections to Zookeeper ensemble
Posted by Adam Milne-Smith <ad...@milne-smith.co.uk>.
I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port.
The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy.
This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive.
If this sounds like a useful to anyone I can outline the approach in a bit more detail.
Thanks,
Adam
On 5 Feb 2016 19:07, "Talluri, Chandra" <Ch...@FMR.com.INVALID> wrote:
>
> Is it possible to restrict any client connections to Zookeeper ensemble based on IP address. Not just setting Acl's on znode?
>
> (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh or any client only from certain ip addresses
>
> -Thanks in advance