ZooKeeper Access Control
ZooKeeper provides Access Control to its data via an Access Control List (ACL) mechanism.
When data is written to ZooKeeper, NiFi will provide an ACL that indicates that any user is
allowed to have full permissions to the data, or an ACL that indicates that only the user
that created the data is allowed to access the data. Which ACL is used depends on the value
of the Access Control
property for the
ZooKeeperStateProvider
(see the Configuring State Providers section for more
information).
In order to use an ACL that indicates that only the Creator is allowed to access the data, we need to tell ZooKeeper who the Creator is. There are three mechanisms for accomplishing this. The first mechanism is to provide authentication using Kerberos. See Kerberizing NiFi's ZooKeeper Client for more information.
The second option, which additionally ensures that network communication is encrypted, is to authenticate using an X.509 certificate on a TLS-enabled ZooKeeper server. See Securing ZooKeeper with TLS for more information.
The third option is to use a username and password. This is configured by specifying a
value for the Username
and a value for the Password
properties for the ZooKeeperStateProvider
(see the Configuring State Providers section for more
information). The important thing to keep in mind here, though, is that ZooKeeper will pass
around the password in plain text. This means that using a username and password should not
be used unless ZooKeeper is running on localhost as a one-instance cluster, or if
communications with ZooKeeper occur only over encrypted communications, such as a VPN or an
SSL connection.