For cluster wide security, I think it is also important to use networking hardware security. In EC2, this corresponds to the security groups. For Linux itself, you do this using iptables.
The basic idea is that you can lock down the network access to the cluster so that to access your ZK cluster, you actually have to be running on a correct machine. This doesn't satisfy the original need, but is an important defense in depth adjunct to it. Another way to get connection level security on ZK access would be to use something like ssh or stunnel to allow access to the cluster which is otherwise completely locked down except for the ZK nodes talking to each other. This approach does meet the original requirements (I think). On Tue, Jun 16, 2009 at 10:42 AM, Mahadev Konar <maha...@yahoo-inc.com>wrote: > So, if you want it > to work at the server level, you will have to add authentication to all the > znodes that you create in ZooKeeper, so non authenticated clients would not > be able to read anything in ZooKeeper. >
