I think that the stunnel suggestion actually covers what you want here. You can set stunnel up so that it listens to a known port and it decrypts and forwards traffic to the local zookeeper client port. You can guarantee that no direct connections are possible to the zookeeper in a variety of ways, the simplest being a change to zookeeper to allow it to insist that all connections be from localhost.
Stunnel can also insist on client certificates so that only approved clients would be able to connect. Your packaged version of zookeeper would include both zookeeper and stunnel. You would recommend that iptables be set up to prevent any attempted connections, but this would only be defense in depth. On Tue, Jun 16, 2009 at 12:22 PM, Gustavo Niemeyer <gust...@niemeyer.net>wrote: > > For cluster wide security, I think it is also important to use networking > > hardware security. In EC2, this corresponds to the security groups. For > > Linux itself, you do this using iptables. > > That's the impression I had as well. Do you think it'd be too tricky > to implement an equivalent pluggable authentication scheme which would > operate at the server level? E.g. something that would allow using a > shared secret safely, or certificates. > > I'm pondering about the possibility of offering ZooKeeper embedded in > another system, so it'd be best if the system security wasn't > dependent on the network setup which is left to the user that deploys > the packed system. -- Ted Dunning, CTO DeepDyve 111 West Evelyn Ave. Ste. 202 Sunnyvale, CA 94086 http://www.deepdyve.com 858-414-0013 (m) 408-773-0220 (fax)