From 4dd266afd60c95c07da93af2ecd6045f62683d32 Mon Sep 17 00:00:00 2001 From: Eyal Lupu Date: Mon, 15 Feb 2016 16:38:14 +0000 Subject: [PATCH] Update index.html.md Documentation: Zookeeper authentication and ACLs --- website/source/docs/config/index.html.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/website/source/docs/config/index.html.md b/website/source/docs/config/index.html.md index 5787d4ec62..efec6b3904 100644 --- a/website/source/docs/config/index.html.md +++ b/website/source/docs/config/index.html.md @@ -256,16 +256,28 @@ The following optional settings can be used to configure zNode ACLs of the user information) * 'ip:127.0.01' - Access from localhost only * 'ip:70.95.0.0/16' - Any host on the 70.95.0.0 network (CIDR is supported starting from Zookeeper 3.5.0) -In neither of those is set the backend will not authenticate with Zookeeper and will set the OPEN_ACL_UNSAFE ACL + +If neither of these is set the backend will not authenticate with Zookeeper and will set the OPEN_ACL_UNSAFE ACL on all nodes. The affect would be that anyone connected to Zookeeper could change Vault’s znodes and, potentially, -take Vault out of service. Sample configurations: +take Vault out of service. + +Some sample configurations: ```` backend "zookeeper" { znode_owner = "digest:vaultUser:raxgVAfnDRljZDAcJFxznkZsExs=" auth_info = "digest:vaultUser:abc" } ```` +With the above configuration Vault will set an ACL on all of its zNodes permitting access to vaultUser only. If digest schema +is used please protect this file as it contains the clear text password. As per Zookeeper ACL model the digest value +(in znode_owner) must match the user (in znode_owner). +```` +backend "zookeeper" { + znode_owner = "ip:127.0.0.1" + } +```` +The above allows access from localhost only - as this is the IP schema no auth_info is required since Zookeeper uses the address of the clients to do the ACL check. Zookeeper version 3.5.0 and above should support CIDR (which make much more sense). #### Backend Reference: DynamoDB (Community-Supported)