[ https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14105040#comment-14105040 ]
Hongchao Deng commented on ZOOKEEPER-2014: ------------------------------------------ {quote} ensure that only the Admin can reconfigure a cluster. {quote} This change will reduce much flexibility in reconfig. A counter scenario would be I have a process that detects "permanent" failed ZK servers and removes them to make a smaller quorum (better fault tolerance). Does the process have to be Admin? Or would a default ACL be a better option here? > Only admin should be allowed to reconfig a cluster > -------------------------------------------------- > > Key: ZOOKEEPER-2014 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.0 > Reporter: Raul Gutierrez Segales > Assignee: Raul Gutierrez Segales > Priority: Blocker > Attachments: ZOOKEEPER-2014.patch > > > ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We > should, at the very least, ensure that only the Admin can reconfigure a > cluster. Perhaps restricting access to /zookeeper/config as well, though this > is debatable. Surely one could ensure Admin only access via an ACL, but that > would leave everyone who doesn't use ACLs unprotected. We could also force a > default ACL to make it a bit more consistent (maybe). > Finally, making reconfig() only available to Admins means they have to run > with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure > if everyone does, or how would it work with other authentication providers). -- This message was sent by Atlassian JIRA (v6.2#6252)