You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by oo4load <c....@gmail.com> on 2017/10/17 10:18:02 UTC
Zookeeper 3.5.3 reconfig blocked by ACL
I have a 3.5.3 cluster where I am trying out the reconfig command. I am
running with reconfigEnabled=true.
When I try reconfig I run into an issue with ACL.
[zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
Authentication is not valid :
The config node is protected:
[zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
'world,'anyone
: r
The way this is set up it seems only a superuser enabled cluster can use the
reconfig command. Is that true, or am I missing something ? The
documentation never mentioned it.
--
Sent from: http://zookeeper-user.578899.n2.nabble.com/
Re: Zookeeper 3.5.3 reconfig blocked by ACL
Posted by Jordan Zimmerman <jo...@jordanzimmerman.com>.
FWIW - I've had this PR out for a while that makes this situation a lot easier by adding an override. I'd love to see this merged:
https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779 <https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779>
-Jordan
> On Oct 18, 2017, at 2:29 AM, Michael Han <ha...@apache.org> wrote:
>
>>> The way this is set up it seems only a superuser enabled cluster can use
> the reconfig command.
>
> You can also configure the ACL associated with the "/config" znode so your
> chosen users have permission to both read and write the config znode, after
> they are authenticated (using your favorite authentication scheme built in
> ZK, such as SASL). This way you don't have to operate under the credential
> of superuser. By default, in 3.5.3 beta the "/config" znode is read only,
> which effectively disables reconfig API except for superuser who does not
> subject to ACL check.
>
> On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <sh...@gmail.com> wrote:
>
>> Hi,
>>
>> Please look for "sc_reconfig_access_control"
>> Here:
>> https://github.com/apache/zookeeper/blob/master/docs/
>> zookeeperReconfig.html
>>
>> Thanks,
>> Alex
>>
>> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <c....@gmail.com> wrote:
>>
>>> I have a 3.5.3 cluster where I am trying out the reconfig command. I am
>>> running with reconfigEnabled=true.
>>> When I try reconfig I run into an issue with ACL.
>>>
>>> [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
>>> Authentication is not valid :
>>>
>>> The config node is protected:
>>> [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
>>> 'world,'anyone
>>> : r
>>>
>>>
>>> The way this is set up it seems only a superuser enabled cluster can use
>>> the
>>> reconfig command. Is that true, or am I missing something ? The
>>> documentation never mentioned it.
>>>
>>>
>>>
>>>
>>> --
>>> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>>>
>>
Re: Zookeeper 3.5.3 reconfig blocked by ACL
Posted by Michael Han <ha...@apache.org>.
>> The way this is set up it seems only a superuser enabled cluster can use
the reconfig command.
You can also configure the ACL associated with the "/config" znode so your
chosen users have permission to both read and write the config znode, after
they are authenticated (using your favorite authentication scheme built in
ZK, such as SASL). This way you don't have to operate under the credential
of superuser. By default, in 3.5.3 beta the "/config" znode is read only,
which effectively disables reconfig API except for superuser who does not
subject to ACL check.
On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <sh...@gmail.com> wrote:
> Hi,
>
> Please look for "sc_reconfig_access_control"
> Here:
> https://github.com/apache/zookeeper/blob/master/docs/
> zookeeperReconfig.html
>
> Thanks,
> Alex
>
> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <c....@gmail.com> wrote:
>
> > I have a 3.5.3 cluster where I am trying out the reconfig command. I am
> > running with reconfigEnabled=true.
> > When I try reconfig I run into an issue with ACL.
> >
> > [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
> > Authentication is not valid :
> >
> > The config node is protected:
> > [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
> > 'world,'anyone
> > : r
> >
> >
> > The way this is set up it seems only a superuser enabled cluster can use
> > the
> > reconfig command. Is that true, or am I missing something ? The
> > documentation never mentioned it.
> >
> >
> >
> >
> > --
> > Sent from: http://zookeeper-user.578899.n2.nabble.com/
> >
>
Re: Zookeeper 3.5.3 reconfig blocked by ACL
Posted by Alexander Shraer <sh...@gmail.com>.
Hi,
Please look for "sc_reconfig_access_control"
Here:
https://github.com/apache/zookeeper/blob/master/docs/zookeeperReconfig.html
Thanks,
Alex
On Tue, Oct 17, 2017 at 3:18 AM, oo4load <c....@gmail.com> wrote:
> I have a 3.5.3 cluster where I am trying out the reconfig command. I am
> running with reconfigEnabled=true.
> When I try reconfig I run into an issue with ACL.
>
> [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
> Authentication is not valid :
>
> The config node is protected:
> [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
> 'world,'anyone
> : r
>
>
> The way this is set up it seems only a superuser enabled cluster can use
> the
> reconfig command. Is that true, or am I missing something ? The
> documentation never mentioned it.
>
>
>
>
> --
> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>