Yep that s what I saw I think that will do the job Thx
On Wednesday, May 28, 2014, Michi Mutsuzaki <[email protected]> wrote: > Hi Olivier, > > There is an "ip" authentication scheme. > > > https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes > > On Wed, May 28, 2014 at 12:21 AM, Olivier Mallassi > <[email protected] <javascript:;>> wrote: > > hi all > > > > I am facing a "security issue" with Zookeeper (not from the impl but from > > the "design" standpoint) > > > > we will use ZK as a service discovery registry (pure common usage...) but > > we would like that some znodes do not be updated without auhtentication. > > > > we tested ACL and it works fine but the "limitations" that I see are (1) > > pwd transported in clear and (2) you need to manage technical users (so > pwd > > storage, encryptions, etc etc..) > > > > So we prefer not using ACL and keep anonymous access on all nodes. > > > > But, we are facing "issues" with zkCli because any machine having zkcli > can > > connect to the Zookeeper ensemble and modify structure / values. > > > > To be honnest, I would prefer a solution based on the fact we have a > white > > list of IPs allowed to access ZK, we control the ssh keys to connect to > the > > machines etc...Can we do that? > > > > more generally, do you have experience to share with me? how would you > > handle that? any suggestions would be welcomed. > > > > Regards. > > PS : we are using curator so maybe the ACLProvider could help (to access > an > > LDAP or...) >
