This is to set the IP based ACL for znodes not for the entire server and the information for it is at https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_ZooKeeperAccessControl
What I need is server wide restring clients to connect -----Original Message----- From: Michi Mutsuzaki [mailto:[email protected]] Sent: Friday, February 05, 2016 2:27 PM To: [email protected] Subject: Re: Can we restrict any client connections to Zookeeper ensemble There is an ip based authentication provider: https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java I couldn't find much documentation on it though... On Fri, Feb 5, 2016 at 11:22 AM, Adam Milne-Smith <[email protected]> wrote: > I've been looking to do the same thing so have started running a HAProxy on > each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client > port. > > The choice of transparent mode was so that I can still map session activity > to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper > is none the wiser that HAProxy sits in between. It requires some iptables, ip > rules and ip route config to direct outgoing packets from ZooKeeper back > through the HAProxy. > > This allows for blacklisting ips and protecting against DOS attacks by rate > limiting new connections by IP and by block connections from bad actors that > are too write intensive. > > If this sounds like a useful to anyone I can outline the approach in a bit > more detail. > > Thanks, > Adam > > > On 5 Feb 2016 19:07, "Talluri, Chandra" <[email protected]> > wrote: >> >> Is it possible to restrict any client connections to Zookeeper ensemble >> based on IP address. Not just setting Acl's on znode? >> >> (i.e) I should be able to connect to zookeeper ensemble either using >> zkCli.sh or any client only from certain ip addresses >> >> -Thanks in advance
