Github user nkalmar commented on the pull request:
https://github.com/apache/zookeeper/commit/a2623a625a4778720f7d5482d0a66e9b37ae556f#commitcomment-29934308
Both JMX and Jetty can be secured. The problem here is, as of my
understanding, is that 4ltw command uses the client port. You can secure JMX
port, introduce authentication, SSL etc. But you cannot secure the client port
like that. So leaving the port open, and the ability to call functions without
any authentication or authorization via telnet is not the best practice.
By the way, JMX port should only be open on the local machine, as it is the
default setting on ZooKeeper. But if you wan't to open it, it should be secured
with firewall/gateway settings, IP restrictions, SASL or whatever.
Jetty can be also configured for SSL.
---
