You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by baidu <ze...@163.com> on 2017/08/21 08:34:07 UTC

How to prevent others from accessing our zookeeper service?

Hi, 

I’ve read documents about zookeeper authentication and acl. To my knowledge, this mechanism can only control the access of specified znodes. To prevent others from accessing our zookeeper service, we need set acl for all the znodes. 

Is there any other way to do this? 


Best wishes,
Dan

Re: How to prevent others from accessing our zookeeper service?

Posted by Michael Han <ha...@cloudera.com>.

You can build an external solution to do the access control with client
connections, for example put a proxy like HAProxy in front of ZK ensemble
and apply iptable rules that only allows specific connections to pass
through. ZK does not have intrinsic support for such control and this is a
by design because it was designed to operate in a trusted environment.
Though this may change if more and more users are interested in such a
feature. So far ZOOKEEPER-1634 etc are not getting much traction.

On Mon, Aug 21, 2017 at 2:06 PM, Abraham Fine <af...@apache.org> wrote:

> My understanding is that there is no current way to keep anonymous users
> from connecting at all.
>
> There have been numerous proposals to use SASL to solve this problem and
> there is an open PR by Michael Han
> (https://github.com/apache/zookeeper/pull/118), but nothing of the sort
> has been committed yet.
>
> Thanks,
> Abe
>
> On Mon, Aug 21, 2017, at 01:34, baidu wrote:
> > Hi,
> >
> > I’ve read documents about zookeeper authentication and acl. To my
> > knowledge, this mechanism can only control the access of specified
> > znodes. To prevent others from accessing our zookeeper service, we need
> > set acl for all the znodes.
> >
> > Is there any other way to do this?
> >
> >
> > Best wishes,
> > Dan
>

-- 
Cheers
Michael.

Re: How to prevent others from accessing our zookeeper service?

Posted by Abraham Fine <af...@apache.org>.

My understanding is that there is no current way to keep anonymous users
from connecting at all. 

There have been numerous proposals to use SASL to solve this problem and
there is an open PR by Michael Han
(https://github.com/apache/zookeeper/pull/118), but nothing of the sort
has been committed yet. 

Thanks,
Abe

On Mon, Aug 21, 2017, at 01:34, baidu wrote:
> Hi, 
> 
> I’ve read documents about zookeeper authentication and acl. To my
> knowledge, this mechanism can only control the access of specified
> znodes. To prevent others from accessing our zookeeper service, we need
> set acl for all the znodes. 
> 
> Is there any other way to do this? 
> 
> 
> Best wishes,
> Dan