...
Similar to the digest auth scheme, an x509 “superUser” can be configured by the server. Set the property zookeeper.X509AuthenticationProvider.superUser to an X500 Principal that corresponds to a client that should have full privileges to all znodes regardless of ACLs.
Custom Authentication Provider
ZooKeeper can be configured to use a different X509-based trust mechanism. This is useful in certificate key infrastructures that do not use JKS.
To specify a custom authentication provider, extend the org.apache.zookeeper.server.auth.X509AuthenticationProvider
. It may be necessary to extend javax.net.ssl.X509KeyManager
and javax.net.ssl.X509TrustManager
to get the desired behavior from the SSL stack.
To configure the ZooKeeper server to use the custom provider for authentication, choose a scheme name and set the property zookeeper.authProvider.[scheme]
to the fully-qualified class name of the custom implementation. This will load the provider into the ProviderRegistry. Then set the property zookeeper.ssl.authProvider=[scheme]
and that provider will be used for secure authentication.