Thanks Michael. That URL is what I was reading this morning and, combined with my tests seemed to confirm my understanding.
Cheers. -- Dan Langille - BSDCan / PGCon [email protected] > On Dec 8, 2016, at 1:20 PM, Michael Han <[email protected]> wrote: > > Correct - if the purpose is to restrict connection requests from known ips > then using iptables / firewall. > A side note is ZK does have a built in IP scheme that will grant permission > on znode based on IP[1], but in that case the ensemble is still open to > connection requests from the world. > [1] > https://zookeeper.apache.org/doc/trunk/zookeeperProgrammers.html#sc_BuiltinACLSchemes > > On Thu, Dec 8, 2016 at 8:17 AM, Dan Langille <[email protected]> wrote: > >> Is my conclusion correct? >> >> We cannot tell zookeeper to only accept connections from a given IP range. >> Rather, we must restrict access to znodes within zookeeper. Each znode has >> its own ACL. >> >> There is no inheriting from parent, no way to globally restrict access. >> It must be done on a znode by znode basis. >> >> There's no configuration file where we can tell zookeeper to only accept >> connections from 10.0.0.0/16, for example. If we want to do that on a >> global basis, a firewall rule is a better solution than setting it on every >> node. >> >> -- >> Dan Langille - BSDCan / PGCon >> [email protected] >> >> >> > > > -- > Cheers > Michael.
