¶ Authentication and Authorization
- Enable SASL/Kerberos or digest authentication for clients.
- Apply ACLs on znodes and avoid world-readable defaults.
- Use dedicated service principals or users per application.
- Enable TLS for client and quorum communication where supported.
- Use strong keystore/truststore management and rotate certificates.
- Disable plaintext management or admin endpoints on untrusted networks.
- Restrict network access to known cluster members and clients.
- Separate ZooKeeper hosts from general-purpose workloads.
- Keep JVM and ZooKeeper patched to current stable versions.
¶ Monitoring and Recovery
- Monitor session expirations, follower lag, and election events.
- Forward logs to centralized monitoring and SIEM.
- Back up snapshots/transaction logs and test coordinated recovery.