Hi Olivier, There is an "ip" authentication scheme.
https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi <[email protected]> wrote: > hi all > > I am facing a "security issue" with Zookeeper (not from the impl but from > the "design" standpoint) > > we will use ZK as a service discovery registry (pure common usage...) but > we would like that some znodes do not be updated without auhtentication. > > we tested ACL and it works fine but the "limitations" that I see are (1) > pwd transported in clear and (2) you need to manage technical users (so pwd > storage, encryptions, etc etc..) > > So we prefer not using ACL and keep anonymous access on all nodes. > > But, we are facing "issues" with zkCli because any machine having zkcli can > connect to the Zookeeper ensemble and modify structure / values. > > To be honnest, I would prefer a solution based on the fact we have a white > list of IPs allowed to access ZK, we control the ssh keys to connect to the > machines etc...Can we do that? > > more generally, do you have experience to share with me? how would you > handle that? any suggestions would be welcomed. > > Regards. > PS : we are using curator so maybe the ACLProvider could help (to access an > LDAP or...)
