Hi Jaewoong,
I'm not sure if you have had a chance to look at the documentation:
http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
My understanding is that a client authenticates when it connects.
-Flavio
On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:
> Hi,
>
> I got a question regarding ZooKeeper's authentication mechanism. Let me
> describe a scenario first.
>
> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g.
> XyzAuthenticationProvider which authentication scheme is "xyz") enabled with
> -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any
> ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the
> world by default.
> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't
> invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do
> anything!! e.g. It can create znodes under "/" and etc.
>
> This is what I verified with my test using zookeeper_server-3.4.3 and
> zookeeper-3.4.3 client library.
>
> Here come some questions.
>
> 1. Is the above scenario true?
> 2. Isn't there any access control on "Connect" permission level regardless of
> znode-level ACLs? For example, can we deny client connection before its
> access to any znode when it comes without a valid authInfo?
>
> Regards,
> Jaewoong
