You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Philippe Back (JIRA)" <ji...@apache.org> on 2017/03/24 16:10:42 UTC
[jira] [Commented] (ZOOKEEPER-2370) Can't access Znodes after
adding ACL with SASL
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940631#comment-15940631 ]
Philippe Back commented on ZOOKEEPER-2370:
------------------------------------------
I got this one too.
It turns out that the root cause is that the service is started with:
{code}authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
{code}
Not putting the server and the realm when doing the setAcl in zkCli is giving a match when accessing the node as the message is then gone.
But if one puts the realm in, one is just locking him or herself out.
To remove the znode, I guess the only way is to start ZK zithout ACL checks (not very practical in production) or user a super user.
Now, how is one logging in with such a user in ZK with zkCli.sh ?
> Can't access Znodes after adding ACL with SASL
> ----------------------------------------------
>
> Key: ZOOKEEPER-2370
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2370
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Affects Versions: 3.4.5
> Reporter: Chao Sun
>
> (My apology if this is not a bug.)
> I'm trying to use a ZK client which has successfully authenticated with a secure ZK server using principal {{me/hostname@EXAMPLE.COM}}. However, the following simple commands failed:
> {code}
> [zk: hostname(CONNECTED) 0] create /zk-test "1"
> Created /zk-test
> [zk: hostname(CONNECTED) 1] setAcl /zk-test sasl:me/hostname@EXAMPLE.COM:cdrwa
> cZxid = 0x3e3b
> ctime = Mon Feb 22 23:10:36 PST 2016
> mZxid = 0x3e3b
> mtime = Mon Feb 22 23:10:36 PST 2016
> pZxid = 0x3e3b
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 3
> numChildren = 0
> [zk: hostname(CONNECTED) 2] getAcl /zk-test
> 'sasl,'me/hostname@EXAMPLE.COM
> : cdrwa
> [zk: hostname(CONNECTED) 3] ls /zk-test
> Authentication is not valid : /zk-test
> [zk: hostname(CONNECTED) 4] create /zk-test/c "2"
> Authentication is not valid : /zk-test/c
> {code}
> I wonder what I did wrong here, or is this behavior intentional? how can I delete the znodes? Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)