Support Questions

Cloudera 

@desind 

I tweaked it a little bit it should work in Cloudera

Go to Cloudera zookeeper server home

# cd $CDH_HOME/zookeeper-server

Run below command

java -cp "./zookeeper.jar:lib/slf4j-api-1.6.1.jar" org.apache.zookeeper.server.auth.DigestAuthenticationProvider super:password

The output should look like below

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See <a href="<a href="http://www.slf4j.org/codes.html#StaticLoggerBinder" target="_blank">http://www.slf4j.org/codes.html#StaticLoggerBinder</a>" target="_blank"><a href="http://www.slf4j.org/codes.html#StaticLoggerBinder</a" target="_blank">http://www.slf4j.org/codes.html#StaticLoggerBinder</a</a>> for further details.
super:password->super:DyNYQEQvajljsxlhf5uS4PJ9R28=

Copy the super:DyNYQEQvajljsxlhf5uS4PJ9R28=  text and login to Cloudera Manager and goto zookeeper config.
Add below to zookeeper-env template config

export SERVER_JVMFLAGS="$SERVER_JVMFLAGS -Dzookeeper.DigestAuthenticationProvider.superDigest=super:DyNYQEQvajljsxlhf5uS4PJ9R28="

Save and Restart Zookeeper and launch zookeeper shell on CDH cli

# . /bin/zkCli.sh -server your_server.com

addauth as below

Now to removing  the ACL should work
Now try to delete an ACL in zookeeper this should work.

addauth digest super:password

Unfortunately, I don't have a CDH sandbox  so you might have to adjust some cmds

Can you explain at a high level if possible what these steps are doing and why  we are doing these ? 

Technically there is an acl under my name and when i get a token as myself i should be able to delete the acls. 

@desind 

By default, Zookeeper runs without the option of becoming a superuser to administrate znodes in the ZK ensemble, for example, to fix ACLs, remove znodes that are not required anymore, or create new ones in specific locations. Zookeeper grants permissions through ACLs through different schemas or authentication methods, such as 'world', 'digest', or 'sasl' if we use Kerberos. We can potentially we locked out if we were to grant everyone just read permissions to a znode, as we would not be able to delete it or modify it anymore.

@SheltonI am still getting the same error . How can i verify that the SERVER_JVMFLAGS have taken effect ? I dont see it in running config. (ps -ef | grep -i zookeeper) . I also dont see it in zoo.cfg

[zk: xxx.unx.sas.com(CONNECTED) 0] addauth digest super:password
[zk: xxx.unx.sas.com(CONNECTED) 1] ls /kafka
kafka-acl kafka-acl-changes kafka-acl-extended kafka kafka-acl-extended-changes
[zk: xxx.unx.sas.com(CONNECTED) 1] ls /kafka-acl
[Group, Cluster, Topic, TransactionalId, DelegationToken]
[zk: xxx.unx.sas.com(CONNECTED) 2] deleteall /kafka-acl/Topic
Authentication is not valid : /kafka-acl/Topic

@desind 

I can see the error Authentication is not valid  but it seems you didn't use the format

super:password->super:DyNYQEQvajljsxlhf5uS4PJ9R28=

  instead, your input was as below according to the steps you shared.

addauth digest super:password

And then  delete  the znode  that should work

[zk: xxx.unx.sas.com(CONNECTED) 2] deleteall /kafka-acl/Topic

Please do that and revert