Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2699

Restrict 4lw commands based on client IP

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security, server
    • Labels:
      None

      Description

      Currently 4lw commands are executed without authentication and can be accessed from any IP which has access to ZooKeeper server. ZOOKEEPER-2693 attempts to limit the 4lw commands which are enabled by default or enabled by configuration.

      In addition to ZOOKEEPER-2693 we should also restrict 4lw commands based on client IP as well. It is required for following scenario

      1. User wants to enable all the 4lw commands
      2. User wants to limit the access of the commands which are considered to be safe by default.

      Implementation:
      we can introduce new property 4lw.commands.host.whitelist

      1. By default we allow all the hosts, but off course only on the 4lw exposed commands as per the ZOOKEEPER-2693
      2. It can be configured to allow individual IPs(192.168.1.2,192.168.1.3 etc.)
      3. It can also be configured to allow group of IPs like 192.168.1.*

        Attachments

          Activity

            People

            • Assignee:
              arshad.mohammad Mohammad Arshad
              Reporter:
              arshad.mohammad Mohammad Arshad
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: