Repository: zookeeper Updated Branches: refs/heads/master 73d6bf535 -> cd0e32383
ZOOKEEPER-2635: Regenerate documentation (fpj) Project: http://git-wip-us.apache.org/repos/asf/zookeeper/repo Commit: http://git-wip-us.apache.org/repos/asf/zookeeper/commit/cd0e3238 Tree: http://git-wip-us.apache.org/repos/asf/zookeeper/tree/cd0e3238 Diff: http://git-wip-us.apache.org/repos/asf/zookeeper/diff/cd0e3238 Branch: refs/heads/master Commit: cd0e323831c8b4cde64976325bfc79bb53cdd9b7 Parents: 73d6bf5 Author: fpj <[email protected]> Authored: Sun Dec 11 20:08:45 2016 +0000 Committer: fpj <[email protected]> Committed: Sun Dec 11 20:08:45 2016 +0000 ---------------------------------------------------------------------- docs/index.html | 2 +- docs/index.pdf | Bin 12664 -> 12643 bytes docs/javaExample.html | 2 +- docs/javaExample.pdf | Bin 33897 -> 33876 bytes docs/linkmap.html | 2 +- docs/linkmap.pdf | Bin 10829 -> 10808 bytes docs/recipes.html | 2 +- docs/recipes.pdf | Bin 33903 -> 33882 bytes docs/zookeeperAdmin.html | 39 ++++- docs/zookeeperAdmin.pdf | Bin 92297 -> 93578 bytes docs/zookeeperHierarchicalQuorums.html | 2 +- docs/zookeeperHierarchicalQuorums.pdf | Bin 6656 -> 6635 bytes docs/zookeeperInternals.html | 2 +- docs/zookeeperInternals.pdf | Bin 48869 -> 48848 bytes docs/zookeeperJMX.html | 2 +- docs/zookeeperJMX.pdf | Bin 16494 -> 16473 bytes docs/zookeeperObservers.html | 2 +- docs/zookeeperObservers.pdf | Bin 12881 -> 12860 bytes docs/zookeeperOver.html | 2 +- docs/zookeeperOver.pdf | Bin 302527 -> 302506 bytes docs/zookeeperProgrammers.html | 78 +++++++++- docs/zookeeperProgrammers.pdf | Bin 142335 -> 143721 bytes docs/zookeeperQuotas.html | 2 +- docs/zookeeperQuotas.pdf | Bin 11191 -> 11170 bytes docs/zookeeperReconfig.html | 146 ++++++++++++++++++- docs/zookeeperReconfig.pdf | Bin 53699 -> 62104 bytes docs/zookeeperStarted.html | 2 +- docs/zookeeperStarted.pdf | Bin 28120 -> 28099 bytes docs/zookeeperTutorial.html | 2 +- docs/zookeeperTutorial.pdf | Bin 30554 -> 30533 bytes .../src/documentation/content/xdocs/tabs.xml | 2 +- 31 files changed, 273 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/index.html ---------------------------------------------------------------------- diff --git a/docs/index.html b/docs/index.html index 837fb55..a203986 100644 --- a/docs/index.html +++ b/docs/index.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/index.pdf ---------------------------------------------------------------------- diff --git a/docs/index.pdf b/docs/index.pdf index cc8bb1f..4349c24 100644 Binary files a/docs/index.pdf and b/docs/index.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/javaExample.html ---------------------------------------------------------------------- diff --git a/docs/javaExample.html b/docs/javaExample.html index 2aa75cc..e9284c2 100644 --- a/docs/javaExample.html +++ b/docs/javaExample.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/javaExample.pdf ---------------------------------------------------------------------- diff --git a/docs/javaExample.pdf b/docs/javaExample.pdf index ad63226..bbc64ec 100644 Binary files a/docs/javaExample.pdf and b/docs/javaExample.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/linkmap.html ---------------------------------------------------------------------- diff --git a/docs/linkmap.html b/docs/linkmap.html index 4db845a..d62b4be 100644 --- a/docs/linkmap.html +++ b/docs/linkmap.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/linkmap.pdf ---------------------------------------------------------------------- diff --git a/docs/linkmap.pdf b/docs/linkmap.pdf index 03da0bb..38a70e4 100644 Binary files a/docs/linkmap.pdf and b/docs/linkmap.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/recipes.html ---------------------------------------------------------------------- diff --git a/docs/recipes.html b/docs/recipes.html index 98234a4..f270806 100644 --- a/docs/recipes.html +++ b/docs/recipes.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/recipes.pdf ---------------------------------------------------------------------- diff --git a/docs/recipes.pdf b/docs/recipes.pdf index 3f05a67..1d19f58 100644 Binary files a/docs/recipes.pdf and b/docs/recipes.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperAdmin.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperAdmin.html b/docs/zookeeperAdmin.html index 896090f..96b6d3e 100644 --- a/docs/zookeeperAdmin.html +++ b/docs/zookeeperAdmin.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ @@ -1317,6 +1317,7 @@ server.3=zoo3:2888:3888</pre> of the observers on restart. Set to "false" to disable this feature. Default is "true"</p> </dd> + </dl> <a name="sc_clusterOptions"></a> @@ -1488,6 +1489,42 @@ server.3=zoo3:2888:3888</pre> to a server's config file. </p> </dd> + + +<dt> +<term>reconfigEnabled</term> +</dt> +<dd> +<p>(No Java system property)</p> +<p> +<strong>New in 3.5.3:</strong> + This controls the enabling or disabling of + <a href="zookeeperReconfig.html"> + Dynamic Reconfiguration</a> feature. When the feature + is enabled, users can perform reconfigure operations through + the ZooKeeper client API or through ZooKeeper command line tools + assuming users are authorized to perform such operations. + When the feature is disabled, no user, including the super user, + can perform a reconfiguration. Any attempt to reconfigure will return an error. + <strong>"reconfigEnabled"</strong> option can be set as + <strong>"reconfigEnabled=false"</strong> or + <strong>"reconfigEnabled=true"</strong> + to a server's config file, or using QuorumPeerConfig's + setReconfigEnabled method. The default value is false. + + If present, the value should be consistent across every server in + the entire ensemble. Setting the value as true on some servers and false + on other servers will cause inconsistent behavior depending on which server + is elected as leader. If the leader has a setting of + <strong>"reconfigEnabled=true"</strong>, then the ensemble + will have reconfig feature enabled. If the leader has a setting of + <strong>"reconfigEnabled=false"</strong>, then the ensemble + will have reconfig feature disabled. It is thus recommended to have a consistent + value for <strong>"reconfigEnabled"</strong> across servers + in the ensemble. + </p> +</dd> + </dl> <p></p> http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperAdmin.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperAdmin.pdf b/docs/zookeeperAdmin.pdf index c0533e1..3f8f2d9 100644 Binary files a/docs/zookeeperAdmin.pdf and b/docs/zookeeperAdmin.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperHierarchicalQuorums.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperHierarchicalQuorums.html b/docs/zookeeperHierarchicalQuorums.html index 451ceae..72f6c06 100644 --- a/docs/zookeeperHierarchicalQuorums.html +++ b/docs/zookeeperHierarchicalQuorums.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperHierarchicalQuorums.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperHierarchicalQuorums.pdf b/docs/zookeeperHierarchicalQuorums.pdf index e38de6a..d27aa22 100644 Binary files a/docs/zookeeperHierarchicalQuorums.pdf and b/docs/zookeeperHierarchicalQuorums.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperInternals.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperInternals.html b/docs/zookeeperInternals.html index a518a7e..de5c821 100644 --- a/docs/zookeeperInternals.html +++ b/docs/zookeeperInternals.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperInternals.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperInternals.pdf b/docs/zookeeperInternals.pdf index a8223a3..445d8ef 100644 Binary files a/docs/zookeeperInternals.pdf and b/docs/zookeeperInternals.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperJMX.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperJMX.html b/docs/zookeeperJMX.html index ac71893..4a627f1 100644 --- a/docs/zookeeperJMX.html +++ b/docs/zookeeperJMX.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperJMX.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperJMX.pdf b/docs/zookeeperJMX.pdf index 0e1866c..5cfe345 100644 Binary files a/docs/zookeeperJMX.pdf and b/docs/zookeeperJMX.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperObservers.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperObservers.html b/docs/zookeeperObservers.html index e2c9354..4f83ebb 100644 --- a/docs/zookeeperObservers.html +++ b/docs/zookeeperObservers.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperObservers.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperObservers.pdf b/docs/zookeeperObservers.pdf index 2f9fca1..f1f83dc 100644 Binary files a/docs/zookeeperObservers.pdf and b/docs/zookeeperObservers.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperOver.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperOver.html b/docs/zookeeperOver.html index 05dc0b2..7a68713 100644 --- a/docs/zookeeperOver.html +++ b/docs/zookeeperOver.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperOver.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperOver.pdf b/docs/zookeeperOver.pdf index 4046ede..7075e79 100644 Binary files a/docs/zookeeperOver.pdf and b/docs/zookeeperOver.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperProgrammers.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperProgrammers.html b/docs/zookeeperProgrammers.html index 35f9bf8..a0ddd1c 100644 --- a/docs/zookeeperProgrammers.html +++ b/docs/zookeeperProgrammers.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ @@ -1742,6 +1742,82 @@ authProvider.2=com.f.MyAuth2 only one will be used. Also all servers must have the same plugins defined, otherwise clients using the authentication schemes provided by the plugins will have problems connecting to some servers. </p> +<p> +<strong>Added in 3.6.0</strong>: An alternate abstraction is available for pluggable + authentication. It provides additional arguments. + </p> +<pre class="code"> +public abstract class ServerAuthenticationProvider implements AuthenticationProvider { + public abstract KeeperException.Code handleAuthentication(ServerObjs serverObjs, byte authData[]); + public abstract boolean matches(ServerObjs serverObjs, MatchValues matchValues); +} + </pre> +<p> + Instead of implementing AuthenticationProvider you extend ServerAuthenticationProvider. Your handleAuthentication() + and matches() methods will then receive the additional parameters (via ServerObjs and MatchValues). + </p> +<ul> + +<li> + +<p> +<strong>ZooKeeperServer</strong> +</p> + + +<p>The ZooKeeperServer instance</p> + +</li> + + +<li> + +<p> +<strong>ServerCnxn</strong> +</p> + + +<p>The current connection</p> + +</li> + + +<li> + +<p> +<strong>path</strong> +</p> + + +<p>The ZNode path being operated on (or null if not used)</p> + +</li> + + +<li> + +<p> +<strong>perm</strong> +</p> + + +<p>The operation value or 0</p> + +</li> + + +<li> + +<p> +<strong>setAcls</strong> +</p> + + +<p>When the setAcl() method is being operated on, the list of ACLs that are being set</p> + +</li> + +</ul> </div> http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperProgrammers.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperProgrammers.pdf b/docs/zookeeperProgrammers.pdf index 2f9945c..0899f86 100644 Binary files a/docs/zookeeperProgrammers.pdf and b/docs/zookeeperProgrammers.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperQuotas.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperQuotas.html b/docs/zookeeperQuotas.html index c4a9380..ca5c02d 100644 --- a/docs/zookeeperQuotas.html +++ b/docs/zookeeperQuotas.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperQuotas.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperQuotas.pdf b/docs/zookeeperQuotas.pdf index 047b1c5..a1d48f6 100644 Binary files a/docs/zookeeperQuotas.pdf and b/docs/zookeeperQuotas.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperReconfig.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperReconfig.html b/docs/zookeeperReconfig.html index fabcf3a..32fd0cb 100644 --- a/docs/zookeeperReconfig.html +++ b/docs/zookeeperReconfig.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ @@ -207,6 +207,9 @@ document.write("Last Published: " + document.lastModified); <a href="#sc_reconfig_standaloneEnabled">The standaloneEnabled flag</a> </li> <li> +<a href="#sc_reconfig_reconfigEnabled">The reconfigEnabled flag</a> +</li> +<li> <a href="#sc_reconfig_file">Dynamic configuration file</a> </li> <li> @@ -221,6 +224,12 @@ document.write("Last Published: " + document.lastModified); <a href="#ch_reconfig_dyn">Dynamic Reconfiguration of the ZooKeeper Ensemble</a> <ul class="minitoc"> <li> +<a href="#ch_reconfig_api">API</a> +</li> +<li> +<a href="#sc_reconfig_access_control">Security</a> +</li> +<li> <a href="#sc_reconfig_retrieving">Retrieving the current dynamic configuration</a> </li> <li> @@ -299,6 +308,12 @@ document.write("Last Published: " + document.lastModified); </dd> </dl> +<p> +<strong>Note:</strong> Starting with 3.5.3, the dynamic reconfiguration + feature is disabled by default, and has to be explicitly turned on via + <a href="zookeeperAdmin.html#sc_advancedConfiguration"> + reconfigEnabled </a> configuration option. + </p> </div> <a name="ch_reconfig_format"></a> @@ -388,6 +403,26 @@ document.write("Last Published: " + document.lastModified); <p>Since running the Distributed mode allows more flexibility, we recommend setting the flag to <em>false</em>. We expect that the legacy Standalone mode will be deprecated in the future.</p> +<a name="sc_reconfig_reconfigEnabled"></a> +<h3 class="h4">The reconfigEnabled flag</h3> +<p>Starting with 3.5.0 and prior to 3.5.3, there is no way to disable + dynamic reconfiguration feature. We would like to offer the option of + disabling reconfiguration feature because with reconfiguration enabled, + we have a security concern that a malicious actor can make arbitrary changes + to the configuration of a ZooKeeper ensemble, including adding a compromised + server to the ensemble. We prefer to leave to the discretion of the user to + decide whether to enable it or not and make sure that the appropriate security + measure are in place. So in 3.5.3 the <a href="zookeeperAdmin.html#sc_advancedConfiguration"> + reconfigEnabled </a> configuration option is introduced + such that the reconfiguration feature can be completely disabled and any attempts + to reconfigure a cluster through reconfig API with or without authentication + will fail by default, unless <strong>reconfigEnabled</strong> is set to + <strong>true</strong>. + </p> +<p>To set the option to true, the configuration file (zoo.cfg) should contain:</p> +<p> +<span class="codefrag computeroutput">reconfigEnabled=true</span> +</p> <a name="sc_reconfig_file"></a> <h3 class="h4">Dynamic configuration file</h3> <p>Starting with 3.5.0 we're distinguishing between dynamic @@ -526,6 +561,7 @@ server.3=125.23.63.25:2782:2785:participant</pre> clientPort/clientPortAddress statements (although if you specify client ports in the new format, these statements are now redundant).</p> </div> + <a name="ch_reconfig_dyn"></a> <h2 class="h3">Dynamic Reconfiguration of the ZooKeeper Ensemble</h2> @@ -536,6 +572,114 @@ server.3=125.23.63.25:2782:2785:participant</pre> here using the Java CLI, but note that you can similarly use the C CLI or invoke the commands directly from a program just like any other ZooKeeper command.</p> +<a name="ch_reconfig_api"></a> +<h3 class="h4">API</h3> +<p>There are two sets of APIs for both Java and C client. + </p> +<dl> + +<dt> +<term> +<strong>Reconfiguration API</strong> +</term> +</dt> +<dd> +<p>Reconfiguration API is used to reconfigure the ZooKeeper cluster. + Starting with 3.5.3, reconfiguration Java APIs are moved into ZooKeeperAdmin class + from ZooKeeper class, and use of this API requires ACL setup and user + authentication (see <a href="#sc_reconfig_access_control">Security</a> for more information.). + </p> +</dd> + + +<dt> +<term> +<strong>Get Configuration API</strong> +</term> +</dt> +<dd> +<p>Get configuration APIs are used to retrieve ZooKeeper cluster configuration information + stored in /zookeeper/config znode. Use of this API does not require specific setup or authentication, + because /zookeeper/config is readable to any users.</p> +</dd> + +</dl> +<a name="sc_reconfig_access_control"></a> +<h3 class="h4">Security</h3> +<p>Prior to <strong>3.5.3</strong>, there is no enforced security mechanism + over reconfig so any ZooKeeper clients that can connect to ZooKeeper server ensemble + will have the ability to change the state of a ZooKeeper cluster via reconfig. + It is thus possible for a malicious client to add compromised server to an ensemble, + e.g., add a compromised server, or remove legitimate servers. + Cases like these could be security vulnerabilities on a case by case basis. + </p> +<p>To address this security concern, we introduced access control over reconfig + starting from <strong>3.5.3</strong> such that only a specific set of users + can use reconfig commands or APIs, and these users need be configured explicitly. In addition, + the setup of ZooKeeper cluster must enable authentication so ZooKeeper clients can be authenticated. + </p> +<p> + We also provides an escape hatch for users who operate and interact with a ZooKeeper ensemble in a secured + environment (i.e. behind company firewall). For those users who want to use reconfiguration feature but + don't want the overhead of configuring an explicit list of authorized user for reconfig access checks, + they can set <a href="zookeeperAdmin.html#sc_authOptions">"skipACL"</a> to "yes" which will + skip ACL check and allow any user to reconfigure cluster. + </p> +<p> + Overall, ZooKeeper provides flexible configuration options for the reconfigure feature + that allow a user to choose based on user's security requirement. + We leave to the discretion of the user to decide appropriate security measure are in place. + </p> +<dl> + +<dt> +<term> +<strong>Access Control</strong> +</term> +</dt> +<dd> +<p>The dynamic configuration is stored in a special znode + ZooDefs.CONFIG_NODE = /zookeeper/config. This node by default is read only + for all users, except super user and users that's explicitly configured for write + access. + </p> +<p>Clients that need to use reconfig commands or reconfig API should be configured as users + that have write access to CONFIG_NODE. By default, only the super user has full control including + write access to CONFIG_NODE. Additional users can be granted write access through superuser + by setting an ACL that has write permission associated with specified user. + </p> +<p>A few examples of how to setup ACLs and use reconfiguration API with authentication can be found in + ReconfigExceptionTest.java and TestReconfigServer.cc.</p> +</dd> + + +<dt> +<term> +<strong>Authentication</strong> +</term> +</dt> +<dd> +<p>Authentication of users is orthogonal to the access control and is delegated to + existing authentication mechanism supported by ZooKeeper's pluggable authentication schemes. + See <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL";>ZooKeeper and SASL</a> for more details on this topic. + </p> +</dd> + + +<dt> +<term> +<strong>Disable ACL check</strong> +</term> +</dt> +<dd> +<p> + ZooKeeper supports <a href="zookeeperAdmin.html#sc_authOptions">"skipACL"</a> option such that ACL + check will be completely skipped, if skipACL is set to "yes". In such cases any unauthenticated + users can use reconfig API. + </p> +</dd> + +</dl> <a name="sc_reconfig_retrieving"></a> <h3 class="h4">Retrieving the current dynamic configuration</h3> <p>The dynamic configuration is stored in a special znode http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperReconfig.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperReconfig.pdf b/docs/zookeeperReconfig.pdf index 66704b9..50a50e2 100644 Binary files a/docs/zookeeperReconfig.pdf and b/docs/zookeeperReconfig.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperStarted.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperStarted.html b/docs/zookeeperStarted.html index a2af2cf..63c2b1a 100644 --- a/docs/zookeeperStarted.html +++ b/docs/zookeeperStarted.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperStarted.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperStarted.pdf b/docs/zookeeperStarted.pdf index 879df11..0e2f63f 100644 Binary files a/docs/zookeeperStarted.pdf and b/docs/zookeeperStarted.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperTutorial.html ---------------------------------------------------------------------- diff --git a/docs/zookeeperTutorial.html b/docs/zookeeperTutorial.html index f689741..5c19de3 100644 --- a/docs/zookeeperTutorial.html +++ b/docs/zookeeperTutorial.html @@ -67,7 +67,7 @@ <a class="unselected" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/";>Wiki</a> </li> <li class="current"> -<a class="selected" href="index.html">ZooKeeper 3.4 Documentation</a> +<a class="selected" href="index.html">ZooKeeper 3.6 Documentation</a> </li> </ul> <!--+ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/docs/zookeeperTutorial.pdf ---------------------------------------------------------------------- diff --git a/docs/zookeeperTutorial.pdf b/docs/zookeeperTutorial.pdf index c8009f7..3cdd8b1 100644 Binary files a/docs/zookeeperTutorial.pdf and b/docs/zookeeperTutorial.pdf differ http://git-wip-us.apache.org/repos/asf/zookeeper/blob/cd0e3238/src/docs/src/documentation/content/xdocs/tabs.xml ---------------------------------------------------------------------- diff --git a/src/docs/src/documentation/content/xdocs/tabs.xml b/src/docs/src/documentation/content/xdocs/tabs.xml index aef7e59..af6c447 100644 --- a/src/docs/src/documentation/content/xdocs/tabs.xml +++ b/src/docs/src/documentation/content/xdocs/tabs.xml @@ -31,6 +31,6 @@ <tab label="Project" href="http://zookeeper.apache.org/"; /> <tab label="Wiki" href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/"; /> - <tab label="ZooKeeper 3.4 Documentation" dir="" /> + <tab label="ZooKeeper 3.6 Documentation" dir="" /> </tabs>
