Hello, Recently I worked on a feature in Apache Bookkeeper where we introduced role-based authorization based on client certificates and I think the Zookeeper community could use it too. I wanted to socialize the idea with the community to gauge its receptivity for this and contribute if you folks think it's worthwhile.
The general idea is: * Inject service name / role in client certificate while generating certificates for given service. * Add code to read user configured 'services / roles' from config file while bringing up ZK server. * When a client makes a connection, as a part of the TLS handshake, read, verify and authorize client certificate and match it with what has been configured for the server. More details about this proposal can be found in this document that I wrote for the Bookkeeper community here <https://docs.google.com/document/d/15atmnl3pS4HrhQ6fV-gSY7faIVlmU91KoApBaXPjEfg/edit?usp=sharing> . Regards, Anup -- Anup Ghatage www.ghatage.com
