accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ranjan Sen <ranjan_...@hotmail.com>
Subject RE: Removing 'accumulo' from Zookeeper
Date Thu, 02 Oct 2014 19:56:57 GMT
Thanks Michael. It worked! 

Date: Thu, 2 Oct 2014 13:50:51 -0400
Subject: Re: Removing 'accumulo' from Zookeeper
From: michael@sqrrl.com
To: user@accumulo.apache.org

I cut and paste a little fast there at the end, so obviously no one outside of Sqrrl has the
"zk-digest.sh" script.  Here's that in all its gory detail: 
#!/bin/bash
if [ -z ${ZOOKEEPER_HOME} ]; then	echo "Set \$ZOOKEEPER_HOME before running this script"	exit
4747fi
if [ -z ${JAVA_HOME} ]; then	echo "Set \$JAVA_HOME before running this script"	exit 4747fi
if [ $# -eq 0 ]; then	echo "usage: zk-digest.sh <digest string>"	echo ""	echo "  Utility
to produce authentication digests, such as you might see in ZooKeeper node ACL entries"	echo
""	echo "  Example: zk-digest.sh sqrrl:secret"	exit 4747fi
ZK_CLASSPATH="\${ZOOKEEPER_HOME}/build/classes:\${ZOOKEEPER_HOME}/build/lib/*.jar:\${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:\${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:\${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:\${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:\${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:\${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:\${ZOOKEEPER_HOME}/src/java/lib/*.jar:\${ZOOKEEPER_HOME}/conf\"
${JAVA_HOME}/bin/java -Dzookeeper.log.dir="." \-Dzookeeper.root.logger="INFO,CONSOLE" \-cp
"${ZK_CLASSPATH}" \-Dcom.sun.management.jmxremote \-Dcom.sun.management.jmxremote.local.only=false
\org.apache.zookeeper.server.auth.DigestAuthenticationProvider $*
On Thu, Oct 2, 2014 at 1:48 PM, Michael Allen <michael@sqrrl.com> wrote:
Hi Ranjan.  If you're doing this on your own development node, or a production node you're
in full control of, you can add a root password to ZooKeeper in order to blow away any nodes
you like. Here's a little writeup I did about it:
ZooKeeper has security features built into it by way of access control lists (ACLs) on nodes.
 Once set, these ACLs can be very hard to get rid of, especially if errant code has set up
nodes that you no longer have any password for.  This how-to guide shows you how to set up
a root user inside of ZooKeeper that can wipe out any ACLed node.Step-by-step guide Stop your
currently running ZooKeeper.  This is either a direct $ZOOKEEPER_HOME/bin/zkServer.sh stop
command or a sudo service zookeeper-server stop command on some systest boxes.Edit zkServer.sh
and in the following section:

start)
    echo  -n "Starting zookeeper ... "
    if [ -f $ZOOPIDFILE ]; then
      if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
         echo $command already running as process `cat $ZOOPIDFILE`. 
         exit 0
      fi
    fi
    nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}"
\
    -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 <
/dev/null &Add the line -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
\ within the $JAVA invocation such that the resulting section looks like this:

start)
    echo  -n "Starting zookeeper ... "
    if [ -f $ZOOPIDFILE ]; then
      if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
         echo $command already running as process `cat $ZOOPIDFILE`. 
         exit 0
      fi
    fi
    nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}"
\
    -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
\
    -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 <
/dev/null &Start ZooKeeper again.Log into ZooKeeper via zkCli.shDeclare yourself the root
user with the following addauth command:

addauth digest super:secret
 You should now be able to delete any node and/or change any ACL within the ZooKeeper system.
 

Note that you should NOT set this setting up on any production system.  If you need to set
up a root user on a production system, you need to create a different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff
above is a "digest") linked to a better password than "secret".  To make your own digest,
use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh script.
On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <keith@deenlo.com> wrote:
Accumulo will work properly if you do not clean it before installing, because each time you
init Accumulo it stores the information for the new instance under a new random uuid.  For
the purpose of cleaning out old UUIDs, its possible each old UUID could have been created
with a different password.   Maybe thats what happening in your case?  I can not remember
if the syntax of your addauth command is correct.

On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <ranjan_sen@hotmail.com> wrote:



Let me describe the scenario. Accumulo was installed earlier but has been removed now. Before
installing Accumulo I want to clean any ZK node related to it.  Below please see the details.
 I do not have any node called 'instances' in ZK. As I could not use addauth and remove the
nodes, I found some doc on using skipACL=YES in zookeeper manual and was wondering if that
may enable me to clean.  Thanks for looking at it. 








  <property>
    <name>instance.secret</name>
    <value>DEFAULT</value>


[zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT
[zk: localhost:2181(CONNECTED) 2] rmr /accumulo
Authentication is not valid : /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
[zk: localhost:2181(CONNECTED) 3] ls /
[accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm, brokers, controller_epoch]
[zk: localhost:2181(CONNECTED) 4] rmr /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root

Authentication is not valid : /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root


[zk: localhost:2181(CONNECTED) 15] getAcl  /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users
'world,'anyone
: r
'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=
: cdrwa




































> Date: Wed, 1 Oct 2014 22:29:42 -0400
> From: josh.elser@gmail.com
> To: user@accumulo.apache.org
> Subject: Re: Removing 'accumulo' from Zookeeper
> 
> You definitely want "addauth", not "setacl".
> 
> "secret" is the value of instance.secret in accumulo-site.xml.
> 
> craig w wrote:
> > I'd double check that "secret" is correct and perhaps do you mean to 
> > use "addauth"?
> >
> > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <ranjan_sen@hotmail.com 
> > <mailto:ranjan_sen@hotmail.com>> wrote:
> >
> >     Hi Accumulo users,
> >
> >     I have a accumulo znode that I want to remove from zookeeper. I
> >     tried to use the
> >
> >     setAcl  digest accumulo:secret
> >
> >     but it is not working when I try to remove it
> >
> >     [zk: localhost:2181(CONNECTED) 11] rmr
> >     /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
> >
> >     Authentication is not valid :
> >     /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
> >
> >
> >     so I was thinking of using skipACL=YES that I saw in the zookeeper
> >     documentation. Any idea if this can be used with zkCli.sh?
> >
> >
> >     Ranjan
> >
> >
> >
> >
> > -- 
> > https://github.com/mindscratch
> > https://www.google.com/+CraigWickesser
> > https://twitter.com/mind_scratch
> > https://twitter.com/craig_links
 		 	   		  




-- 
Michael Allen
Software Architect | Sqrrl
-----------------------------------
130 Prospect Street | Cambridge, MA 02139
415.699.0106 | www.sqrrl.com
-----------------------------------The information contained in this communication may be
confidential, subject to legal privilege, or otherwise protected from disclosure, and is intended
solely for the use of the intended recipient(s). If you are not the intended recipient of
this communication, please destroy all copies in your possession, notify the sender that you
have received this communication in error, and note that any review or dissemination of, or
the taking of any action in reliance on, this communication is expressly prohibited.  Please
note that sqrrl data, INC. reserves the right to intercept, monitor, and retain e-mail messages
to and from its systems as permitted by applicable law.




-- 
Michael Allen
Software Architect | Sqrrl
-----------------------------------
130 Prospect Street | Cambridge, MA 02139
415.699.0106 | www.sqrrl.com
-----------------------------------The information contained in this communication may be
confidential, subject to legal privilege, or otherwise protected from disclosure, and is intended
solely for the use of the intended recipient(s). If you are not the intended recipient of
this communication, please destroy all copies in your possession, notify the sender that you
have received this communication in error, and note that any review or dissemination of, or
the taking of any action in reliance on, this communication is expressly prohibited.  Please
note that sqrrl data, INC. reserves the right to intercept, monitor, and retain e-mail messages
to and from its systems as permitted by applicable law.

 		 	   		  
Mime
View raw message