You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Ludwig Pummer <lu...@chip-web.com> on 2012/01/23 10:00:08 UTC
digest ACL znodes always return ZNOAUTH (zkCLi and perl)
Hello,
I'm just getting started with ZooKeeper and am having very little luck
with digest ACLs.
I couldn't figure out the syntax for creating digest acls from zkCli
(create nor setAcl), but I did manage to set ACLs on nodes using the
perl bindings.
However, I cannot read the node back.
"addauth digest user:pass" in zkCLI is accepted, but the subsequent get
results in a KeeperException$NoAuthException.
From the perl binding (Net::ZooKeeper 0.35), get always returns -102
(ZNOAUTH).
I'm running zookeeper 3.3.4.
-----
$ ./acltest1.pl
add_auth ok
created path /acl0000000028 with acl
node /acl0000000028 get error: -102
node /acl0000000028 has stat info:
czxid: 230
mzxid: 230
ctime: 1327308018904
mtime: 1327308018904
version: 0
children_version: 0
acl_version: 0
ephemeral_owner: 0
data_len: 5
num_children: 0
children_zxid: 230
node /acl0000000028 has ACL entry:
perms: 31
scheme: digest
id: user:smGaoVKd/cQkjm7b88GyorAUz20=
Re: digest ACL znodes always return ZNOAUTH (zkCLi and perl)
Posted by Ludwig Pummer <lu...@chip-web.com>.
The docs say to specify it as id => "$username:$password". If I didn't
do add_auth first, how would I be able to specify a digest ACL at all?
It also fails if I move the add_auth until after I've created the node.
I also got the idea to try doing add_auth first and then creating it
with ZOO_CREATOR_ALL_ACL to skip generating the digest myself, but perl
core dumps at the call. Ditto withZOO_READ_ACL_UNSAFE. The only
predefined ACL that doesn't core dump is ZOO_OPEN_ACL_UNSAFE, which
doesn't help me any. So it looks like the perl interface has some issues.
Do you happen to know the syntax to use CREATOR_ALL_ACL with zkCli ? Or
syntax for using digest ACL on create or set_acl with zkCli?
On 1/25/2012 3:30 PM, Patrick Hunt wrote:
> I notice this in your perl script:
>
> $acl=[{"perms"=>ZOO_PERM_ALL,"scheme"=>"digest",id=>"user:$digest"}];
>
> have you tried using id=>"user"? I don't think you should be providing
> the digest here given you've already add_auth'd
>
> I'd try it but I'm not setup at the moment to compile/run this.
>
> Patrick
>
> On Mon, Jan 23, 2012 at 8:18 PM, Ludwig Pummer
> <lu...@chip-web.com> wrote:
>> I used the doc's 2 lines of code to generate the digest.
>>
>> $ perl -MMIME::Base64 -MDigest -e 'print
>> MIME::Base64::encode(Digest->new("SHA-1")->add("user:pass")->digest());'
>> smGaoVKd/cQkjm7b88GyorAUz20=
>>
>> That matches the output below, but it makes sense since I *set* that? What
>> other digest value is there to compare it to?
>>
>> I have no way to see what is the digest generated by ZooKeeper on addauth,
>> do I?
>>
>> What's the digest acl syntax in zkCLI?
>>
>>
>> On 1/23/2012 12:49 PM, Patrick Hunt wrote:
>>>
>>> I'm not super familiar with the perl bindings - did you try what's
>>> documented/detailed in the perl docs?
>>>
>>> http://search.cpan.org/~cdarroch/Net-ZooKeeper-0.35/ZooKeeper.pm#Access_Control
>>>
>>> Did you compare the two base 64 encoded digests?
>>>
>>> Patrick
>>>
>>> On Mon, Jan 23, 2012 at 1:00 AM, Ludwig Pummer
>>> <lu...@chip-web.com> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'm just getting started with ZooKeeper and am having very little luck
>>>> with
>>>> digest ACLs.
>>>>
>>>> I couldn't figure out the syntax for creating digest acls from zkCli
>>>> (create
>>>> nor setAcl), but I did manage to set ACLs on nodes using the perl
>>>> bindings.
>>>>
>>>> However, I cannot read the node back.
>>>>
>>>> "addauth digest user:pass" in zkCLI is accepted, but the subsequent get
>>>> results in a KeeperException$NoAuthException.
>>>>
>>>> From the perl binding (Net::ZooKeeper 0.35), get always returns -102
>>>> (ZNOAUTH).
>>>>
>>>> I'm running zookeeper 3.3.4.
>>>>
>>>> -----
>>>>
>>>> $ ./acltest1.pl
>>>> add_auth ok
>>>> created path /acl0000000028 with acl
>>>> node /acl0000000028 get error: -102
>>>> node /acl0000000028 has stat info:
>>>> czxid: 230
>>>> mzxid: 230
>>>> ctime: 1327308018904
>>>> mtime: 1327308018904
>>>> version: 0
>>>> children_version: 0
>>>> acl_version: 0
>>>> ephemeral_owner: 0
>>>> data_len: 5
>>>> num_children: 0
>>>> children_zxid: 230
>>>> node /acl0000000028 has ACL entry:
>>>> perms: 31
>>>> scheme: digest
>>>> id: user:smGaoVKd/cQkjm7b88GyorAUz20=
>>>>
>>
Re: digest ACL znodes always return ZNOAUTH (zkCLi and perl)
Posted by Patrick Hunt <ph...@apache.org>.
I notice this in your perl script:
$acl=[{"perms"=>ZOO_PERM_ALL,"scheme"=>"digest",id=>"user:$digest"}];
have you tried using id=>"user"? I don't think you should be providing
the digest here given you've already add_auth'd
I'd try it but I'm not setup at the moment to compile/run this.
Patrick
On Mon, Jan 23, 2012 at 8:18 PM, Ludwig Pummer
<lu...@chip-web.com> wrote:
> I used the doc's 2 lines of code to generate the digest.
>
> $ perl -MMIME::Base64 -MDigest -e 'print
> MIME::Base64::encode(Digest->new("SHA-1")->add("user:pass")->digest());'
> smGaoVKd/cQkjm7b88GyorAUz20=
>
> That matches the output below, but it makes sense since I *set* that? What
> other digest value is there to compare it to?
>
> I have no way to see what is the digest generated by ZooKeeper on addauth,
> do I?
>
> What's the digest acl syntax in zkCLI?
>
>
> On 1/23/2012 12:49 PM, Patrick Hunt wrote:
>>
>> I'm not super familiar with the perl bindings - did you try what's
>> documented/detailed in the perl docs?
>>
>> http://search.cpan.org/~cdarroch/Net-ZooKeeper-0.35/ZooKeeper.pm#Access_Control
>>
>> Did you compare the two base 64 encoded digests?
>>
>> Patrick
>>
>> On Mon, Jan 23, 2012 at 1:00 AM, Ludwig Pummer
>> <lu...@chip-web.com> wrote:
>>>
>>> Hello,
>>>
>>> I'm just getting started with ZooKeeper and am having very little luck
>>> with
>>> digest ACLs.
>>>
>>> I couldn't figure out the syntax for creating digest acls from zkCli
>>> (create
>>> nor setAcl), but I did manage to set ACLs on nodes using the perl
>>> bindings.
>>>
>>> However, I cannot read the node back.
>>>
>>> "addauth digest user:pass" in zkCLI is accepted, but the subsequent get
>>> results in a KeeperException$NoAuthException.
>>>
>>> From the perl binding (Net::ZooKeeper 0.35), get always returns -102
>>> (ZNOAUTH).
>>>
>>> I'm running zookeeper 3.3.4.
>>>
>>> -----
>>>
>>> $ ./acltest1.pl
>>> add_auth ok
>>> created path /acl0000000028 with acl
>>> node /acl0000000028 get error: -102
>>> node /acl0000000028 has stat info:
>>> czxid: 230
>>> mzxid: 230
>>> ctime: 1327308018904
>>> mtime: 1327308018904
>>> version: 0
>>> children_version: 0
>>> acl_version: 0
>>> ephemeral_owner: 0
>>> data_len: 5
>>> num_children: 0
>>> children_zxid: 230
>>> node /acl0000000028 has ACL entry:
>>> perms: 31
>>> scheme: digest
>>> id: user:smGaoVKd/cQkjm7b88GyorAUz20=
>>>
>
Re: digest ACL znodes always return ZNOAUTH (zkCLi and perl)
Posted by Ludwig Pummer <lu...@chip-web.com>.
I used the doc's 2 lines of code to generate the digest.
$ perl -MMIME::Base64 -MDigest -e 'print
MIME::Base64::encode(Digest->new("SHA-1")->add("user:pass")->digest());'
smGaoVKd/cQkjm7b88GyorAUz20=
That matches the output below, but it makes sense since I *set* that?
What other digest value is there to compare it to?
I have no way to see what is the digest generated by ZooKeeper on
addauth, do I?
What's the digest acl syntax in zkCLI?
On 1/23/2012 12:49 PM, Patrick Hunt wrote:
> I'm not super familiar with the perl bindings - did you try what's
> documented/detailed in the perl docs?
> http://search.cpan.org/~cdarroch/Net-ZooKeeper-0.35/ZooKeeper.pm#Access_Control
>
> Did you compare the two base 64 encoded digests?
>
> Patrick
>
> On Mon, Jan 23, 2012 at 1:00 AM, Ludwig Pummer
> <lu...@chip-web.com> wrote:
>> Hello,
>>
>> I'm just getting started with ZooKeeper and am having very little luck with
>> digest ACLs.
>>
>> I couldn't figure out the syntax for creating digest acls from zkCli (create
>> nor setAcl), but I did manage to set ACLs on nodes using the perl bindings.
>>
>> However, I cannot read the node back.
>>
>> "addauth digest user:pass" in zkCLI is accepted, but the subsequent get
>> results in a KeeperException$NoAuthException.
>>
>> From the perl binding (Net::ZooKeeper 0.35), get always returns -102
>> (ZNOAUTH).
>>
>> I'm running zookeeper 3.3.4.
>>
>> -----
>>
>> $ ./acltest1.pl
>> add_auth ok
>> created path /acl0000000028 with acl
>> node /acl0000000028 get error: -102
>> node /acl0000000028 has stat info:
>> czxid: 230
>> mzxid: 230
>> ctime: 1327308018904
>> mtime: 1327308018904
>> version: 0
>> children_version: 0
>> acl_version: 0
>> ephemeral_owner: 0
>> data_len: 5
>> num_children: 0
>> children_zxid: 230
>> node /acl0000000028 has ACL entry:
>> perms: 31
>> scheme: digest
>> id: user:smGaoVKd/cQkjm7b88GyorAUz20=
>>
Re: digest ACL znodes always return ZNOAUTH (zkCLi and perl)
Posted by Patrick Hunt <ph...@apache.org>.
I'm not super familiar with the perl bindings - did you try what's
documented/detailed in the perl docs?
http://search.cpan.org/~cdarroch/Net-ZooKeeper-0.35/ZooKeeper.pm#Access_Control
Did you compare the two base 64 encoded digests?
Patrick
On Mon, Jan 23, 2012 at 1:00 AM, Ludwig Pummer
<lu...@chip-web.com> wrote:
> Hello,
>
> I'm just getting started with ZooKeeper and am having very little luck with
> digest ACLs.
>
> I couldn't figure out the syntax for creating digest acls from zkCli (create
> nor setAcl), but I did manage to set ACLs on nodes using the perl bindings.
>
> However, I cannot read the node back.
>
> "addauth digest user:pass" in zkCLI is accepted, but the subsequent get
> results in a KeeperException$NoAuthException.
>
> From the perl binding (Net::ZooKeeper 0.35), get always returns -102
> (ZNOAUTH).
>
> I'm running zookeeper 3.3.4.
>
> -----
>
> $ ./acltest1.pl
> add_auth ok
> created path /acl0000000028 with acl
> node /acl0000000028 get error: -102
> node /acl0000000028 has stat info:
> czxid: 230
> mzxid: 230
> ctime: 1327308018904
> mtime: 1327308018904
> version: 0
> children_version: 0
> acl_version: 0
> ephemeral_owner: 0
> data_len: 5
> num_children: 0
> children_zxid: 230
> node /acl0000000028 has ACL entry:
> perms: 31
> scheme: digest
> id: user:smGaoVKd/cQkjm7b88GyorAUz20=
>