For cluster wide security, I think it is also important to use networking
hardware security.  In EC2, this corresponds to the security groups.  For
Linux itself, you do this using iptables.

The basic idea is that you can lock down the network access to the cluster
so that to access your ZK cluster, you actually have to be running on a
correct machine.

This doesn't satisfy the original need, but is an important defense in depth
adjunct to it.

Another way to get connection level security on ZK access would be to use
something like ssh or stunnel  to allow access to the cluster which is
otherwise completely locked down except for the ZK nodes talking to each
other.  This approach does meet the original requirements (I think).

On Tue, Jun 16, 2009 at 10:42 AM, Mahadev Konar <>wrote:

> So, if you want it
> to work at the server level, you will have to add authentication to all the
> znodes that you create in ZooKeeper, so non authenticated clients would not
> be able to read anything in ZooKeeper.

Reply via email to