Description
Currently 4lw commands are executed without authentication and can be accessed from any IP which has access to ZooKeeper server. ZOOKEEPER-2693 attempts to limit the 4lw commands which are enabled by default or enabled by configuration.
In addition to ZOOKEEPER-2693 we should also restrict 4lw commands based on client IP as well. It is required for following scenario
- User wants to enable all the 4lw commands
- User wants to limit the access of the commands which are considered to be safe by default.
Implementation:
we can introduce new property 4lw.commands.host.whitelist
- By default we allow all the hosts, but off course only on the 4lw exposed commands as per the
ZOOKEEPER-2693 - It can be configured to allow individual IPs(192.168.1.2,192.168.1.3 etc.)
- It can also be configured to allow group of IPs like 192.168.1.*