You can build an external solution to do the access control with client connections, for example put a proxy like HAProxy in front of ZK ensemble and apply iptable rules that only allows specific connections to pass through. ZK does not have intrinsic support for such control and this is a by design because it was designed to operate in a trusted environment. Though this may change if more and more users are interested in such a feature. So far ZOOKEEPER-1634 etc are not getting much traction.
On Mon, Aug 21, 2017 at 2:06 PM, Abraham Fine <[email protected]> wrote: > My understanding is that there is no current way to keep anonymous users > from connecting at all. > > There have been numerous proposals to use SASL to solve this problem and > there is an open PR by Michael Han > (https://github.com/apache/zookeeper/pull/118), but nothing of the sort > has been committed yet. > > Thanks, > Abe > > On Mon, Aug 21, 2017, at 01:34, baidu wrote: > > Hi, > > > > I’ve read documents about zookeeper authentication and acl. To my > > knowledge, this mechanism can only control the access of specified > > znodes. To prevent others from accessing our zookeeper service, we need > > set acl for all the znodes. > > > > Is there any other way to do this? > > > > > > Best wishes, > > Dan > -- Cheers Michael.
