Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Zookeeper >> mail # user >> Authentication mechanism


Copy link to this message
-
Re: Authentication mechanism
Hi Jaewoong,

I'm not sure if you have had a chance to look at the documentation:

http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl

My understanding is that a client authenticates when it connects.

-Flavio

On Nov 21, 2012, at 8:46 PM, Jaewoong Choi wrote:

> Hi,
>
> I got a question regarding ZooKeeper's authentication mechanism.  Let me describe a scenario first.
>
> 1. ZooKeeper server started up with a customized AuthenticationProvider (e.g. XyzAuthenticationProvider which authentication scheme is "xyz") enabled with -Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider option.
> 2. But all znodes (including "/" and "/zookeeper") haven't been assigned any ACL of neither this "xyz" scheme or "auth" scheme s.t. they are open to the world by default.
> 3. At this stage, any ZooKeeper client without any authInfo ( who hasn't invoked org.apache.zookeeper.ZooKeeper#setAuthInfo ) are permitted to do anything!!  e.g. It can create znodes under "/" and etc.
>
> This is what I verified with my test using zookeeper_server-3.4.3 and zookeeper-3.4.3 client library.
>
> Here come some questions.
>
> 1. Is the above scenario true?
> 2. Isn't there any access control on "Connect" permission level regardless of znode-level ACLs? For example, can we deny client connection before its access to any znode when it comes without a valid authInfo?
>
> Regards,
> Jaewoong
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB