You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Philippe Back (JIRA)" <ji...@apache.org> on 2017/03/24 16:10:42 UTC

[jira] [Commented] (ZOOKEEPER-2370) Can't access Znodes after adding ACL with SASL

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940631#comment-15940631 ] 

Philippe Back commented on ZOOKEEPER-2370:
------------------------------------------

I got this one too.

It turns out that the root cause is that the service is started with:

{code}authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
{code}

Not putting the server and the realm when doing the setAcl in zkCli is giving a match when accessing the node as the message is then gone.

But if one puts the realm in, one is just locking him or herself out.

To remove the znode, I guess the only way is to start ZK zithout ACL checks (not very practical in production) or user a super user.

Now, how is one logging in with such a user in ZK with zkCli.sh ?



> Can't access Znodes after adding ACL with SASL
> ----------------------------------------------
>
>                 Key: ZOOKEEPER-2370
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2370
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client
>    Affects Versions: 3.4.5
>            Reporter: Chao Sun
>
> (My apology if this is not a bug.)
> I'm trying to use a ZK client which has successfully authenticated with a secure ZK server using principal {{me/hostname@EXAMPLE.COM}}. However, the following simple commands failed:
> {code}
> [zk: hostname(CONNECTED) 0] create /zk-test "1"
> Created /zk-test
> [zk: hostname(CONNECTED) 1] setAcl /zk-test sasl:me/hostname@EXAMPLE.COM:cdrwa
> cZxid = 0x3e3b
> ctime = Mon Feb 22 23:10:36 PST 2016
> mZxid = 0x3e3b
> mtime = Mon Feb 22 23:10:36 PST 2016
> pZxid = 0x3e3b
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 3
> numChildren = 0
> [zk: hostname(CONNECTED) 2] getAcl /zk-test
> 'sasl,'me/hostname@EXAMPLE.COM
> : cdrwa
> [zk: hostname(CONNECTED) 3] ls /zk-test
> Authentication is not valid : /zk-test
> [zk: hostname(CONNECTED) 4] create /zk-test/c "2"
> Authentication is not valid : /zk-test/c
> {code}
> I wonder what I did wrong here, or is this behavior intentional? how can I delete the znodes? Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)