I think that the stunnel suggestion actually covers what you want here.

You can set stunnel up so that it listens to a known port and it decrypts
and forwards traffic to the local zookeeper client port.  You can guarantee
that no direct connections are possible to the zookeeper in a variety of
ways, the simplest being a change to zookeeper to allow it to insist that
all connections be from localhost.

Stunnel can also insist on client certificates so that only approved clients
would be able to connect.

Your packaged version of zookeeper would include both zookeeper and
stunnel.  You would recommend that iptables be set up to prevent any
attempted connections, but this would only be defense in depth.

On Tue, Jun 16, 2009 at 12:22 PM, Gustavo Niemeyer <gust...@niemeyer.net>wrote:

> > For cluster wide security, I think it is also important to use networking
> > hardware security.  In EC2, this corresponds to the security groups.  For
> > Linux itself, you do this using iptables.
> That's the impression I had as well.  Do you think it'd be too tricky
> to implement an equivalent pluggable authentication scheme which would
> operate at the server level?  E.g. something that would allow using a
> shared secret safely, or certificates.
> I'm pondering about the possibility of offering ZooKeeper embedded in
> another system, so it'd be best if the system security wasn't
> dependent on the network setup which is left to the user that deploys
> the packed system.

Ted Dunning, CTO

111 West Evelyn Ave. Ste. 202
Sunnyvale, CA 94086
858-414-0013 (m)
408-773-0220 (fax)

Reply via email to