Perfect. Thanks Enrico. It is the 'setAcl / ' that I was missing. Rémi
-----Message d'origine----- De : Enrico Olivelli [mailto:eolive...@gmail.com] Envoyé : Wednesday, April 11, 2018 11:12 À : UserZooKeeper <user@zookeeper.apache.org> Objet : Re: Client-Server authentication with DIGEST-MD5 2018-04-11 11:08 GMT+02:00 Remi Serrano <rserr...@pros.com>: > Thank you very much Enrico, > > So let's move at ACL level. If I create a new node as : > > Create /mynode content sasl:myuser:mydigest:crdwa > > Indeed only the authenticated myuser is able to READ /mynode... BUT > any other non authenticated user can DELETE the node. How can I prevent this ? > I Could not find explicit solution in the doc. > I am not sure but I think that in order to prevent deletion you have to set ACLs on the parent, in this case '/', and I don't know if is is possible. If a node has children it cannot be deleted, so maybe the solution for you is to create a special "root" node, like /myapp and set ACLs on it and on every children. This is actually what I am doing. Hope that helps Enrico > > Regards, > > Rémi > > -----Message d'origine----- > De : Enrico Olivelli [mailto:eolive...@gmail.com] Envoyé : Tuesday, > April 10, 2018 15:51 À : UserZooKeeper <user@zookeeper.apache.org> > Objet : Re: Client-Server authentication with DIGEST-MD5 > > 2018-04-10 15:22 GMT+02:00 Remi Serrano <rserr...@pros.com>: > > > Hello > > > > I'm trying to secure my ZK cluster. To do so I'm trying to leverage > > both > : > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi > > ki > > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse > > rr > > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637 > > 90 > > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ > > XV > > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0 > > Server-Server+mutual+authentication > > and > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwi > > ki > > .apache.org%2Fconfluence%2Fdisplay%2FZOOKEEPER%2F&data=02%7C01%7Crse > > rr > > ano%40pros.com%7Cb7666ab58a2b4380d6a108d59eea2387%7C094cfb7ad1314637 > > 90 > > 47e339e7d04359%7C0%7C0%7C636589650815046832&sdata=kKnxsghiwmRKgCdwTZ > > XV > > 88thlMICx%2BF8Ha38ESUW9Zc%3D&reserved=0 > > Client-Server+mutual+authentication > > > > The Server to Server works fine. However, the Client to Server seems > > to be useless as here is the behavior I get : > > > > * Client using a declared user on the server + good password CAN > > connect > > * Client using a declared user on the server + bad password CANNOT > > connect > > * Client using a non declared user on the Server CANNOT connect > > so far so good... but : > > > > * Client using NO user at all CAN connect !!! > > > > > This is expected. Client auth is mostly used together with ACLs, > otherwise AFAIK is pretty useless in ZK. > > Please not that MD5 is not "secure" at all, and consider using > SASL/Kerberos for a production environment. > > Cheers > Enrico > > > > > > Any hint ? > > > > >