On 4/1/2016 10:18 AM, Alexander Shraer wrote: > Because using reconfig without ACLs any client can remove the servers (or > replace them with a different set of servers > or change their configuration parameters) and break the system.
This is a potential worry even without reconfig -- a malicious person could change or delete the entire database ... yet many people (including me) run without ACLs. My ZK ensemble is in a network location that unauthorized people can't reach without finding and exploiting some vulnerability that has not yet reached my awareness. If somebody can gain access to the ZK machines, at least one of my public-facing servers is already compromised. ZK will be very low on my list of things to worry about. Chances are that even if the attacker figured out I was using ZK and where it lives, it would be extremely low on THEIR list of priorities -- it doesn't contain any sensitive info, and there are far more efficient ways to cause problems. Thanks, Shawn
