I believe I've read it several times. I guess you refers to the following statement: "... When a client connects to ZooKeeper and authenticates itself, ZooKeeper associates all the ids that correspond to a client with the clients connection. "
>From my understanding based on my real tests, client authenticates by calling >ZooKeeper#setAuthInfo. In other words, authentication never happens if client >bypass authentication #setAuthInfo. Could you please confirm and clarify? >Haven't you been able to reproduce the scenario I described below? Thanks, Jaewoong On Nov 22, 2012, at 1:23 PM, Flavio Junqueira wrote: > Hi Jaewoong, > > I'm not sure if you have had a chance to look at the documentation: > > > http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl > > My understanding is that a client authenticates when it connects. > > -Flavio > > On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote: > >> Hi, >> >> I got a question regarding ZooKeeper's authentication mechanism. Let me >> describe a scenario first. >> >> 1. ZooKeeper server started up with a customized AuthenticationProvider >> (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") >> enabled with >> -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option. >> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any >> ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the >> world by default. >> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't >> invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do >> anything!! e.g. It can create znodes under "/" and etc. >> >> This is what I verified with my test using zookeeper_server-3.4.3 and >> zookeeper-3.4.3 client library. >> >> Here come some questions. >> >> 1. Is the above scenario true? >> 2. Isn't there any access control on "Connect" permission level regardless >> of znode-level ACLs? For example, can we deny client connection before its >> access to any znode when it comes without a valid authInfo? >> >> Regards, >> Jaewoong >
