2018-04-11 11:08 GMT+02:00 Remi Serrano <rserr...@pros.com>:

> Thank you very much Enrico,
>
> So let's move at ACL level. If I create a new node as :
>
> Create /mynode content sasl:myuser:mydigest:crdwa
>
> Indeed only the authenticated myuser is able to READ /mynode... BUT any
> other non authenticated user can DELETE the node. How can I prevent this ?
> I Could not find explicit solution in the doc.
>


I am not sure but I think that in order to prevent deletion you have to set
ACLs on the parent, in this case '/', and I don't know if is is possible.
If a node has children it cannot be deleted, so maybe the solution for you
is to create a special "root" node, like
/myapp and set ACLs on it and on every children.

This is actually what I am doing.
Hope that helps

Enrico



>
> Regards,
>
> Rémi
>
> -----Message d'origine-----
> De : Enrico Olivelli [mailto:eolive...@gmail.com]
> Envoyé : Tuesday, April 10, 2018 15:51
> À : UserZooKeeper <user@zookeeper.apache.org>
> Objet : Re: Client-Server authentication with DIGEST-MD5
>
> 2018-04-10 15:22 GMT+02:00 Remi Serrano <rserr...@pros.com>:
>
> > Hello
> >
> > I'm trying to secure my ZK cluster. To do so I'm trying to leverage both
> :
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Server-Server+mutual+authentication
> > and
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki
> > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crserr
> > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad131463790
> > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZXV
> > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0
> > Client-Server+mutual+authentication
> >
> > The Server to Server works fine. However, the Client to Server seems
> > to be useless as here is the behavior I get :
> >
> >   *   Client using a declared user on the server + good password CAN
> > connect
> >   *   Client using a declared user on the server + bad password CANNOT
> > connect
> >   *   Client using a non  declared user on the Server CANNOT connect
> > so far so good... but :
> >
> >   *   Client using NO user at all CAN connect !!!
> >
>
>
> This is expected. Client auth is mostly used together with ACLs, otherwise
> AFAIK is pretty useless in ZK.
>
> Please not that MD5 is not "secure" at all, and consider using
> SASL/Kerberos for a production environment.
>
> Cheers
> Enrico
>
>
> >
> > Any hint ?
> >
> >
>

Reply via email to