MG>comprehensive zookeeper client-server authentication described at : MG>https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL MG>sasl happens at connection time so addauth would not be necessary..on the other hand addAcl is supported
> Date: Thu, 3 Mar 2016 20:13:39 +0530 > Subject: Fwd: Solr and Zookeeper Security > From: [email protected] > To: [email protected] > > I am sorry to ask this question. But really i need some light on bellow > matter. > > > I want to run solr in cloud mode . So obliviously I am going to use > zookeeper. > > > My quorum are distributed on 3 server with static ip , lets say > > > server.1=xx.xx.x1:2888:3888 > server.2=xx.xx.x2:2889:3889 > server.3=xx.xx.x3:2890:3890 > > > With solr pointing to this ensemble. Now my concern is how should I protect > it to other unauthorized zkClient to connect above quorum. One way could be > don't open the port for the client but then how will solr connect ? > other problem is how to safeguard quorum interconnection. I observed a > weird behavior that I can point a fourth zookeeper from my local to the > above quorum (i have to know only ip and port which is not tough to find) > and it will be absorbed as a part of quorum and then I can use my local > zkClient to connect my local zoookeeper and have access to quorum which we > don't want. I want to define quorum in a way that foreign zookeeper server > is not able to > become part already configured quorum. > > Again one more strange behavior about znode of zookeeper, User A can set > ACL of a znode and user B which can connect to zookeeper but can't see the > content as it will throw ACL error that is fine but strange thing is user B > can still delete the znode of A which he cant see. :( > > I think a hell lot of things is not clear about zoookeeper security. > > Please can you help me ? And don't forget my thanks in advance.
