Correct - if the purpose is to restrict connection requests from known ips then using iptables / firewall. A side note is ZK does have a built in IP scheme that will grant permission on znode based on IP[1], but in that case the ensemble is still open to connection requests from the world. [1] https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_BuiltinACLSchemes
On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <[email protected]> wrote: > Is my conclusion correct? > > We cannot tell zookeeper to only accept connections from a given IP range. > Rather, we must restrict access to znodes within zookeeper. Each znode has > its own ACL. > > There is no inheriting from parent, no way to globally restrict access. > It must be done on a znode by znode basis. > > There's no configuration file where we can tell zookeeper to only accept > connections from 10.0.0.0/16, for example. If we want to do that on a > global basis, a firewall rule is a better solution than setting it on every > node. > > -- > Dan Langille - BSDCan / PGCon > [email protected] > > > -- Cheers Michael.
