Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to delete an acl in zookeeper

Highlighted

How to delete an acl in zookeeper

Expert Contributor

How can i delete an acl in zookeeper. 

I seen a blog which has outlines steps in hortonworks. I am not using Horton. 

zookeeper.set.acl - false. 


[desind@zookeeper1~]$ zookeeper-shell localhost:2181 rmr /kafka-acl/Topic
Connecting to localhost:2181
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
Authentication is not valid : /kafka-acl/Topic

 

desind@zookeeper-1~]$ zookeeper-shell localhost:2181 getAcl /kafka-acl/Topic
Connecting to localhost:2181

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
'world,'anyone
: r
'sasl,'desind
: cdrwa

 

I need to delete the sasl,desind:cdrwa

7 REPLIES 7
Highlighted

Re: How to delete an acl in zookeeper

Mentor

@desind 

 

You are not running HDP so are you on MapR or Cloudera?

Highlighted

Re: How to delete an acl in zookeeper

Expert Contributor

Cloudera 

Re: How to delete an acl in zookeeper

Mentor

@desind 

I tweaked it a little bit it should work in Cloudera

Go to Cloudera zookeeper server home

 

# cd $CDH_HOME/zookeeper-server

 

Run below command

 

java -cp "./zookeeper.jar:lib/slf4j-api-1.6.1.jar" org.apache.zookeeper.server.auth.DigestAuthenticationProvider super:password

 

The output should look like below

 

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See <a href="<a href="http://www.slf4j.org/codes.html#StaticLoggerBinder" target="_blank">http://www.slf4j.org/codes.html#StaticLoggerBinder</a>" target="_blank"><a href="http://www.slf4j.org/codes.html#StaticLoggerBinder</a" target="_blank">http://www.slf4j.org/codes.html#StaticLoggerBinder</a</a>> for further details.
super:password->super:DyNYQEQvajljsxlhf5uS4PJ9R28=

 

Copy the super:DyNYQEQvajljsxlhf5uS4PJ9R28=  text and login to Cloudera Manager and goto zookeeper config.
Add below to zookeeper-env template config

 

export SERVER_JVMFLAGS="$SERVER_JVMFLAGS -Dzookeeper.DigestAuthenticationProvider.superDigest=super:DyNYQEQvajljsxlhf5uS4PJ9R28="

 

Save and Restart Zookeeper and launch zookeeper shell on CDH cli

 

# . /bin/zkCli.sh -server your_server.com

 

addauth as below

Now to removing  the ACL should work
Now try to delete an ACL in zookeeper this should work.

 

addauth digest super:password

 

Unfortunately, I don't have a CDH sandbox  so you might have to adjust some cmds

 

 

Highlighted

Re: How to delete an acl in zookeeper

Expert Contributor

Can you explain at a high level if possible what these steps are doing and why  we are doing these ? 

Technically there is an acl under my name and when i get a token as myself i should be able to delete the acls. 

Highlighted

Re: How to delete an acl in zookeeper

Mentor

@desind 

By default, Zookeeper runs without the option of becoming a superuser to administrate znodes in the ZK ensemble, for example, to fix ACLs, remove znodes that are not required anymore, or create new ones in specific locations. Zookeeper grants permissions through ACLs through different schemas or authentication methods, such as 'world', 'digest', or 'sasl' if we use Kerberos. We can potentially we locked out if we were to grant everyone just read permissions to a znode, as we would not be able to delete it or modify it anymore.

 

 

Highlighted

Re: How to delete an acl in zookeeper

Expert Contributor

@SheltonI am still getting the same error . How can i verify that the SERVER_JVMFLAGS have taken effect ? I dont see it in running config. (ps -ef | grep -i zookeeper) . I also dont see it in zoo.cfg

 

[zk: xxx.unx.sas.com(CONNECTED) 0] addauth digest super:password
[zk: xxx.unx.sas.com(CONNECTED) 1] ls /kafka
kafka-acl kafka-acl-changes kafka-acl-extended kafka kafka-acl-extended-changes
[zk: xxx.unx.sas.com(CONNECTED) 1] ls /kafka-acl
[Group, Cluster, Topic, TransactionalId, DelegationToken]
[zk: xxx.unx.sas.com(CONNECTED) 2] deleteall /kafka-acl/Topic
Authentication is not valid : /kafka-acl/Topic

 

 

Highlighted

Re: How to delete an acl in zookeeper

Mentor

@desind 

I can see the error Authentication is not valid  but it seems you didn't use the format

super:password->super:DyNYQEQvajljsxlhf5uS4PJ9R28=

  instead, your input was as below according to the steps you shared.

addauth digest super:password

And then  delete  the znode  that should work

[zk: xxx.unx.sas.com(CONNECTED) 2] deleteall /kafka-acl/Topic

Please do that and revert

 

 

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here