Hi Shawn, My proposal was in the following context - Flavio suggested to add new flag(s) to disable reconfig in order not to surprise users with new security vulnerabilities that arise from dynamic reconfiguration. My point was that we already have such a mechanism we could use - ACLs. But if we need to do that while also allowing unprotected use of reconfig for some users, perhaps a flag is a better alternative.
I think we have some flexibility here since reconfig is a new feature so we could choose to be concervative and release it first only to people that do use ACLs, but I don't feel strongly about it, either way. What do you think ? Flavio, Patrick, what's your opinion on this ? Cheers, Alex On Fri, Apr 1, 2016 at 10:16 AM, Shawn Heisey <[email protected]> wrote: > > This is a potential worry even without reconfig -- a malicious person > could change or delete the entire database ... yet many people > (including me) run without ACLs. > > My ZK ensemble is in a network location that unauthorized people can't > reach without finding and exploiting some vulnerability that has not yet > reached my awareness. > > If somebody can gain access to the ZK machines, at least one of my > public-facing servers is already compromised. ZK will be very low on my > list of things to worry about. Chances
