Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Zookeeper - Super User Authentication and Authorization

avatar
author-rank aromero
Contributor

Created on ‎04-27-2016 06:57 PM - edited ‎09-16-2022 01:34 AM

Introduction

By default, Zookeeper runs without the option of becoming a superuser to administrate znodes in the ZK ensemble, for example, to fix ACLs, remove znodes that are not required anymore, or create new ones in specific locations. Zookeeper grants permissions through ACLs through different schemas or authentication methods, such as 'world', 'digest', or 'sasl' if we use Kerberos. We can potentially we locked out if we were to grant everyone just read permissions to a znode, as we would not be able to delete it or modify it anymore.

Example of the problem

For example, we connect to Zookeeper through zkCli:

/usr/hdp/current/zookeeper-client/bin/zkCli.sh -server `hostname -f`:2181
[zk: sandbox.hortonworks.com:2181(CONNECTED) 1] getAcl /config/topics
'world,'anyone
: r

If we need to modify that znode so that, for example, user 'kafka' can have access to it to create new topics:

[zk: sandbox.hortonworks.com:2181(CONNECTED) 2] setAcl /config/topics world:anyone:r sasl:kafka:cdrwa
Authentication is not valid : /config/topics

Using superDigest to become a Zookeeper superuser

The following can be done to run as a Zookeeper superuser and be able to make ACL changes or delete/modify znodes. We can run the DigestAuthenticationProvider to get the digest of a given password. Foe example, if we want our superuser 'super' to have the password 'super123' we can:

export ZK_CLASSPATH=/etc/zookeeper/conf/:/usr/hdp/current/zookeeper-server/lib/*:/usr/hdp/current/zookeeper-server/* 
java -cp $ZK_CLASSPATH org.apache.zookeeper.server.auth.DigestAuthenticationProvider super:super123 
OUTPUT:
super:super123->super:UdxDQl4f9v5oITwcAsO9bmWgHSI=

From the output we can just add the following to SERVER_JVMFLAGS and restart Zookeeper:

SERVER_JVMFLAGS=-Dzookeeper.DigestAuthenticationProvider.superDigest=super:UdxDQl4f9v5oITwcAsO9bmWgHSI=

Then, in zkCli do:

[zk: sandbox.hortonworks.com:2181(CONNECTED) 1] addauth digest super:super123

Now, we can perform the action we couldn't before:

[zk: sandbox.hortonworks.com:2181(CONNECTED) 1] setAcl /config/topics world:anyone:cdrwa,sasl:kafka:cdrwa 

cZxid = 0x29
ctime = Tue Jul 21 18:46:36 UTC 2015 
mZxid = 0x29
mtime = Tue Jul 21 18:46:36 UTC 2015 
pZxid = 0x22410 
cversion = 4 
dataVersion = 0 
aclVersion = 9 
ephemeralOwner = 0x0 
dataLength = 0 
numChildren = 4 
[zk: sandbox.hortonworks.com:2181(CONNECTED) 3] getAcl /config/topics
'world,'anyone 
: cdrwa 
'sasl,'kafka 
: cdrwa
58,843 Views
Comments

Re: Zookeeper - Super User Authentication and Authorization

avatar
author-rank gbraccialli3
Guru

Created on ‎08-15-2016 03:37 PM

@Alberto Romero Really useful, solve my permissions problem!

Re: Zookeeper - Super User Authentication and Authorization

avatar
author-rank 18896724276
New Contributor

Created on ‎12-07-2016 03:16 AM

@Alberto Romero Useful,thank you !

Ambari 2.* enable kerberos, and can't rmr /ams-hbase-secure ,solve my problem !

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎09-16-2022 01:34 AM
Updated by:
Contributor
Contributors