问题
I feel lost trying to figure out what my options are. Apache's programmers guide and administrators guide do not detail anything substantial. My O'Reilly Zookeeper book barely talks about security... did I miss something? I was hoping to find tutorials through google about authenticating client connections, authorizing actions, and encrypting messages sent between zookeepers and client.
回答1:
I had a lot of trouble but I figured it out and the links at the bottom where a huge help to me.
This code (using Curator) was something hard to figure out:
List<ACL> myAclList = new ArrayList<ACL>();
aclList.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS));
client.create(withACL(myAclList)).forPath(myPath);
If I setup the zookeeper configuration correctly, then it will enforce that only the AUTH_IDS will be allowed to access my ZNode.
Ofiicial documentation, My mailing list Q1, My mailing list Q2, JIRA that I found useful, but some items are out of date
回答2:
Since zookeeper version 3.5.4-beta, you are able to enable using client certificates to secure communication to a remote zookeeper server:
Client
ZooKeeper client can use Netty by setting Java system property:
zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty"
In order to do secure communication on client, set this Java system property:
zookeeper.client.secure=true
Note that with "secure" property set the client could and should only connect to server’s “secureClientPort” which will be described shortly.
Then set up keystore and truststore environment by setting the following Java system properties:
zookeeper.ssl.keyStore.location="/path/to/your/keystore"
zookeeper.ssl.keyStore.password="keystore_password"
zookeeper.ssl.trustStore.location="/path/to/your/truststore"
zookeeper.ssl.trustStore.password="truststore_password"
Server
ZooKeeper server can use Netty by setting this Java system property:
zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory"
ZooKeeper server also needs to provide a listening port to accept secure client connections. This port is different from and running in parallel with the known “clientPort”. It should be added in “zoo.cfg”:
secureClientPort=2281
All secure clients (mentioned above) should connect to this port.
Then set up keystore and truststore environment like what client does.
More info here: https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
来源:https://stackoverflow.com/questions/32106117/securing-zookeeper-where-to-start