You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Megha Sharma <me...@gmail.com> on 2017/02/08 15:22:52 UTC
Setting acls in Zookeeper
Hi All,
I have been trying to set acls with zkCli and it seems like the acls don’t
take effect until all the zkServers are restarted. Do the acls need
zkServer restart?
Also, I am running a mesos cluster which uses zookeeper for its leader
election. Mesos creates znodes /mesos with ZOO_AUTH_IDS and
ZOO_READ_ACL_UNSAFE and I am trying to mimic that and set the acls manually
as the znodes are already created. So far I have tried the following with
zkCli to mimic mesos’ setting of credentials and none of them seems to
work. I am not sure if the below approach is the right way to set acls like
ZOO_AUTH_IDS with zkCli. Any ideas?
addauth digest user:pwd
setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
addauth digest user:pwd
setAcl /mesos world:anyone:r,auth::crdwa
Thanks
Megha
Re: Setting acls in Zookeeper
Posted by Megha Sharma <me...@gmail.com>.
Addition to my previous mail.
From the zookeeper doc, I understand that you don't need to provide id for
auth scheme but if you just do
"setAcl /znode auth:crdwa" with zkCli then it complains that auth:crdwa
does not have the form scheme:id:perm so I have been using the two
approaches where I leave the id part for auth either empty "setAcl /mesos
auth::cdrwa" or provide the id "setAcl /mesos auth:zk:cdrwa" so I am not
sure which one correctly translates to ZOO_AUTH_IDS.
Thanks
Megha
From the doc
On Wed, Feb 8, 2017 at 1:35 PM, Megha Sharma <me...@gmail.com>
wrote:
> Thanks Jordan,
> that was very helpful indeed!
> So, setAcl is the only thing that matters in terms of setting acls for
> zookeeper.
>
> My next question is very zkCli specific.
>
> One of the softwares I am running sets acls ZOO_AUTH_IDS +
> ZOO_READ_ACL_UNSAFE programmatically while creating the new znode and I
> have to mimic the auth it sets using zkCli.
>
> That means I have to translate ZOO_AUTH_IDS ((‘auth’,’’), ZOO_AUTH_IDS
> empty identity string should be interpreted as “the identity of the
> creator”.) to scheme:id:perm for zkCli. I tried two different setAcls
>
> 1) setAcl /mesos auth:zk:cdrwa (where zk is my id and in auth scheme you
> don't need pwd)
>
> 2) setAcl /mesos auth::cdrwa
>
> Only the second one gives me ‘auth’,’’ (empty string). Is this how you set
> ZOO_AUTH_IDS with zkCli?
>
> Thanks
> Megha
>
>
>
>
>
>
>
>
> On Wed, Feb 8, 2017 at 12:03 PM, Jordan Zimmerman <
> jordan@jordanzimmerman.com> wrote:
>
>> AddAuth sets the authorization value for the current connection. It's the
>> client-side portion of the ACL spec. What you want is "setAcl".
>>
>> setAcl [-s] [-v version] path acl
>>
>> -Jordan
>>
>> > On Feb 8, 2017, at 1:52 PM, Megha Sharma <me...@gmail.com>
>> wrote:
>> >
>> > Thanks Jordan
>> > That was my understanding as well, wanted to make sure that setting acls
>> > doesn't need zkServer restart. The way I am setting the acls could be
>> > faulty then, I am trying to set the acl ZOO_AUTH_IDS and
>> > ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc,
>> ZOO_AUTH_IDS
>> > translates to (‘auth’,’’) and empty identity string should be
>> interpreted
>> > as “the identity of the creator”. I have tried both empty identity
>> string
>> > (2) and with credentials (1) with zkCli and I am not sure which is the
>> > correct way of achieving ZOO_AUTH_IDS.
>> >
>> >
>> > 1) addauth digest user:pwd
>> > setAcl /mesos world:anyone:r,auth::crdwa
>> >
>> > 2) addauth digest user:pwd
>> > setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
>> >
>> > Thanks
>> > Megha
>> >
>> >
>> > On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman <
>> jordan@jordanzimmerman.com
>> >> wrote:
>> >
>> >>> I have been trying to set acls with zkCli and it seems like the acls
>> >> don’t
>> >>> take effect until all the zkServers are restarted. Do the acls need
>> >>> zkServer restart?
>> >>
>> >> No. ACL changes take effect immediately. It's a ZNode modification like
>> >> any other. Do you have an example of the problem?
>> >>
>> >> -Jordan
>>
>>
>
Re: Setting acls in Zookeeper
Posted by Megha Sharma <me...@gmail.com>.
Thanks Jordan,
that was very helpful indeed!
So, setAcl is the only thing that matters in terms of setting acls for
zookeeper.
My next question is very zkCli specific.
One of the softwares I am running sets acls ZOO_AUTH_IDS +
ZOO_READ_ACL_UNSAFE programmatically while creating the new znode and I
have to mimic the auth it sets using zkCli.
That means I have to translate ZOO_AUTH_IDS ((‘auth’,’’), ZOO_AUTH_IDS
empty identity string should be interpreted as “the identity of the
creator”.) to scheme:id:perm for zkCli. I tried two different setAcls
1) setAcl /mesos auth:zk:cdrwa (where zk is my id and in auth scheme you
don't need pwd)
2) setAcl /mesos auth::cdrwa
Only the second one gives me ‘auth’,’’ (empty string). Is this how you set
ZOO_AUTH_IDS with zkCli?
Thanks
Megha
On Wed, Feb 8, 2017 at 12:03 PM, Jordan Zimmerman <
jordan@jordanzimmerman.com> wrote:
> AddAuth sets the authorization value for the current connection. It's the
> client-side portion of the ACL spec. What you want is "setAcl".
>
> setAcl [-s] [-v version] path acl
>
> -Jordan
>
> > On Feb 8, 2017, at 1:52 PM, Megha Sharma <me...@gmail.com>
> wrote:
> >
> > Thanks Jordan
> > That was my understanding as well, wanted to make sure that setting acls
> > doesn't need zkServer restart. The way I am setting the acls could be
> > faulty then, I am trying to set the acl ZOO_AUTH_IDS and
> > ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc, ZOO_AUTH_IDS
> > translates to (‘auth’,’’) and empty identity string should be interpreted
> > as “the identity of the creator”. I have tried both empty identity string
> > (2) and with credentials (1) with zkCli and I am not sure which is the
> > correct way of achieving ZOO_AUTH_IDS.
> >
> >
> > 1) addauth digest user:pwd
> > setAcl /mesos world:anyone:r,auth::crdwa
> >
> > 2) addauth digest user:pwd
> > setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
> >
> > Thanks
> > Megha
> >
> >
> > On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman <
> jordan@jordanzimmerman.com
> >> wrote:
> >
> >>> I have been trying to set acls with zkCli and it seems like the acls
> >> don’t
> >>> take effect until all the zkServers are restarted. Do the acls need
> >>> zkServer restart?
> >>
> >> No. ACL changes take effect immediately. It's a ZNode modification like
> >> any other. Do you have an example of the problem?
> >>
> >> -Jordan
>
>
Re: Setting acls in Zookeeper
Posted by Jordan Zimmerman <jo...@jordanzimmerman.com>.
AddAuth sets the authorization value for the current connection. It's the client-side portion of the ACL spec. What you want is "setAcl".
setAcl [-s] [-v version] path acl
-Jordan
> On Feb 8, 2017, at 1:52 PM, Megha Sharma <me...@gmail.com> wrote:
>
> Thanks Jordan
> That was my understanding as well, wanted to make sure that setting acls
> doesn't need zkServer restart. The way I am setting the acls could be
> faulty then, I am trying to set the acl ZOO_AUTH_IDS and
> ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc, ZOO_AUTH_IDS
> translates to (‘auth’,’’) and empty identity string should be interpreted
> as “the identity of the creator”. I have tried both empty identity string
> (2) and with credentials (1) with zkCli and I am not sure which is the
> correct way of achieving ZOO_AUTH_IDS.
>
>
> 1) addauth digest user:pwd
> setAcl /mesos world:anyone:r,auth::crdwa
>
> 2) addauth digest user:pwd
> setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
>
> Thanks
> Megha
>
>
> On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman <jordan@jordanzimmerman.com
>> wrote:
>
>>> I have been trying to set acls with zkCli and it seems like the acls
>> don’t
>>> take effect until all the zkServers are restarted. Do the acls need
>>> zkServer restart?
>>
>> No. ACL changes take effect immediately. It's a ZNode modification like
>> any other. Do you have an example of the problem?
>>
>> -Jordan
Re: Setting acls in Zookeeper
Posted by Megha Sharma <me...@gmail.com>.
Thanks Jordan
That was my understanding as well, wanted to make sure that setting acls
doesn't need zkServer restart. The way I am setting the acls could be
faulty then, I am trying to set the acl ZOO_AUTH_IDS and
ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc, ZOO_AUTH_IDS
translates to (‘auth’,’’) and empty identity string should be interpreted
as “the identity of the creator”. I have tried both empty identity string
(2) and with credentials (1) with zkCli and I am not sure which is the
correct way of achieving ZOO_AUTH_IDS.
1) addauth digest user:pwd
setAcl /mesos world:anyone:r,auth::crdwa
2) addauth digest user:pwd
setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
Thanks
Megha
On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman <jordan@jordanzimmerman.com
> wrote:
> > I have been trying to set acls with zkCli and it seems like the acls
> don’t
> > take effect until all the zkServers are restarted. Do the acls need
> > zkServer restart?
>
> No. ACL changes take effect immediately. It's a ZNode modification like
> any other. Do you have an example of the problem?
>
> -Jordan
Re: Setting acls in Zookeeper
Posted by Jordan Zimmerman <jo...@jordanzimmerman.com>.
> I have been trying to set acls with zkCli and it seems like the acls don’t
> take effect until all the zkServers are restarted. Do the acls need
> zkServer restart?
No. ACL changes take effect immediately. It's a ZNode modification like any other. Do you have an example of the problem?
-Jordan