2018-04-11 11:08 GMT+02:00 Remi Serrano <[email protected]>: > Thank you very much Enrico, > > So let's move at ACL level. If I create a new node as : > > Create /mynode content sasl:myuser:mydigest:crdwa > > Indeed only the authenticated myuser is able to READ /mynode... BUT any > other non authenticated user can DELETE the node. How can I prevent this ? > I Could not find explicit solution in the doc. >
I am not sure but I think that in order to prevent deletion you have to set ACLs on the parent, in this case '/', and I don't know if is is possible. If a node has children it cannot be deleted, so maybe the solution for you is to create a special "root" node, like /myapp and set ACLs on it and on every children. This is actually what I am doing. Hope that helps Enrico > > Regards, > > Rémi > > -----Message d'origine----- > De : Enrico Olivelli [mailto:[email protected]] > Envoyé : Tuesday, April 10, 2018 15:51 > À : UserZooKeeper <[email protected]> > Objet : Re: Client-Server authentication with DIGEST-MD5 > > 2018-04-10 15:22 GMT+02:00 Remi Serrano <[email protected]>: > > > Hello > > > > I'm trying to secure my ZK cluster. To do so I'm trying to leverage both > : > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki > > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr > > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790 > > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV > > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0 > > Server-Server+mutual+authentication > > and > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki > > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr > > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790 > > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV > > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0 > > Client-Server+mutual+authentication > > > > The Server to Server works fine. However, the Client to Server seems > > to be useless as here is the behavior I get : > > > > * Client using a declared user on the server + good password CAN > > connect > > * Client using a declared user on the server + bad password CANNOT > > connect > > * Client using a non declared user on the Server CANNOT connect > > so far so good... but : > > > > * Client using NO user at all CAN connect !!! > > > > > This is expected. Client auth is mostly used together with ACLs, otherwise > AFAIK is pretty useless in ZK. > > Please not that MD5 is not "secure" at all, and consider using > SASL/Kerberos for a production environment. > > Cheers > Enrico > > > > > > Any hint ? > > > > >
