Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to SetACL or disable ACL check ( temporarily ) on zookeeper in Kerberized cluster

avatar
Contributor

Hi

Storm job is failing with below exception:

:cause KeeperErrorCode = NoAuth for /credentials/rrtd-topology-1-1526434979 :via [{:type java.lang.RuntimeException :message org.apache.storm.shade.org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /credentials/rrtd-topology-1-1526434979 :at [org.apache.storm.util$wrap_in_runtime invoke util.clj 54]} {:type org.apache.storm.shade.org.apache.zookeeper.KeeperException$NoAuthException :message KeeperErrorCode = NoAuth for /credentials/rrtd-topology-1-1526434979 :at [org.apache.storm.shade.org.apache.zookeeper.KeeperException create KeeperException.java 113]}] :trace [[org.apache.storm.shade.org.apache.zookeeper.KeeperException create KeeperException.java 113] [org.apache.storm.shade.org.apache.zookeeper.KeeperException create KeeperException.java 51] [org.apache.storm.shade.org.apache.zookeeper.ZooKeeper create ZooKeeper.java 783] [org.apache.storm.shade.org.apache.curator.framework.imps.CreateBuilderImpl$11 call CreateB

What did I do?

I tried to create znode /credentials/rrtd-topology-1-1526434979 but znode is not created and instead I cannot create any znode in zookeeper and create /test is also failing.

Below is the ACL for / in zookeeper:

[zk: localhost:2181(CONNECTED) 26] getAcl / 'world,'anyone : cdrwa

Can someone please help me.

8 REPLIES 8

avatar
Super Collaborator

avatar
Contributor

Hi,

/ has full permissions but I could not create znode. Any help and I tried working on steps mentioned in the Web link but it did not work.

,

Implemented it. But it did not work.

avatar
Master Mentor

@Sriram

Can you check the document reference by @Harald Berghoff

avatar
Contributor

By default / has world wide permissions but I am unable to create znode under /.

By the way it is kerberised cluster.

And I tried the solution provided by @Harald Berghoff and unfortunately in my case it did not work.

My problem in one line is:

/ in zookeeper has worldwide permissions but I am unable to create znode under /

@Geoffrey... Can you help me on this.

avatar
Master Mentor

@Sriram

Environment

  • HDP 2.6.2.0
  • Ambari 2.5.2.0
  • MIT Kerberos

I just connected as a normal user and followed the below steps, the znode Test was created without any issues.

I logged in as a local user without a valid Kerberos ticket

$ klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

Connected to ZkCli

$ cd /usr/hdp/current/zookeeper-server 
$ ./bin/zkCli.sh 
.......
[zk: localhost:2181(CONNECTED) 0] ls /
[hive, registry, cluster, controller, brokers, zookeeper, infra-solr, hbase-unsecure, kafka-acl, kafka-acl-changes, admin, isr_change_notification, templeton-hadoop, hiveserver2, controller_epoch, druid, rmstore, hbase-secure, ambari-metrics-cluster, consumers, config] 

Check permissions ACL's

[zk: localhost:2181(CONNECTED) 1] getAcl / 
'world,'anyone
: cdrwa 

Created a Persistant znode Test

[zk: localhost:2181(CONNECTED) 2] create /Test 'siram_issue'
Created /Test 

List Znode child

[zk: localhost:2181(CONNECTED) 3] ls /Test
[] 

List Znodes

Notice Test is listed

[zk: localhost:2181(CONNECTED) 4] ls /
[hive, registry, cluster, controller, brokers, zookeeper, infra-solr, hbase-unsecure, kafka-acl, kafka-acl-changes, admin, isr_change_notification, templeton-hadoop, hiveserver2, controller_epoch, druid, Test, rmstore, hbase-secure, ambari-metrics-cluster, consumers, config] 

Check Status

[zk: localhost:2181(CONNECTED) 6] stat /Test
cZxid = 0x2997
ctime = Sat May 19 21:49:55 CEST 2018
mZxid = 0x2997
mtime = Sat May 19 21:49:55 CEST 2018
pZxid = 0x2997
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 13
numChildren = 0

Can you share your steps that failed ?

avatar
Contributor

@Geoffrey,

I thank a lot for your time on this and I could do it on my test server as you had done but unfortunately I could not do it on my pre-prod cluster and I do see the same that / has the same privileges as you have but I am unable to create znode 😞

Any logs or any configurations you would like to cross-check?

avatar
Contributor

Is a TGT hampering my activity? Should I destory TGT and try creating znode?

avatar
Contributor

@Geoffrey Shelton Okot ...Could you please help me on this.. I am unable to figure out root cause of the issue.