THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
By default, authentication is performed by the X509AuthenticationProvider, corresponding to the auth scheme “x509.” This is initialized with server certificates and trusted client certificates specified according to the following properties:
| Code Block | ||||
|---|---|---|---|---|
| ||||
zookeeper.ssl.keyStore.location zookeeper.ssl.keyStore.password zookeeper.ssl.trustStore.location zookeeper.ssl.trustStore.password |
The keyStore JKS file contains the server certificate and private key. This certificate needs to be trusted by the clients, i.e. include the server’s certificate or its CA in the client’s trustStore JKS files.
Meanwhile the trustStore JKS file on the server contains the client certificates or CA to trust.
Once authentication is complete and a ZooKeeper session is established, the client may set ACLs against the “x509” scheme.
x509 uses the client’s authenticated X500 Principal as an ACL ID identity. The ACL expression is the exact X500 Principal name of an authenticated client.
Similar to the digest auth scheme, an x509 “superUser” can be configured by the server. Set the property zookeeper.X509AuthenticationProvider.superUser to an X500 Principal that corresponds to a client that should have full privileges to all znodes regardless of ACLs.