accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Allen <mich...@sqrrl.com>
Subject Re: Removing 'accumulo' from Zookeeper
Date Thu, 02 Oct 2014 17:48:42 GMT
Hi Ranjan.  If you're doing this on your own development node, or a
production node you're in full control of, you can add a root password to
ZooKeeper in order to blow away any nodes you like. Here's a little writeup
I did about it:

ZooKeeper has security features built into it by way of access control
lists (ACLs) on nodes.  Once set, these ACLs can be very hard to get rid
of, especially if errant code has set up nodes that you no longer have any
password for.  This how-to guide shows you how to set up a root user inside
of ZooKeeper that can wipe out any ACLed node.
Step-by-step guide



   1. Stop your currently running ZooKeeper.  This is either a direct
$ZOOKEEPER_HOME/bin/zkServer.sh
   stop command or a sudo service zookeeper-server stop command on some
   systest boxes.
   2.

   Edit zkServer.sh and in the following section:

   start)
       echo  -n "Starting zookeeper ... "
       if [ -f $ZOOPIDFILE ]; then
         if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
            echo $command already running as process `cat $ZOOPIDFILE`.
            exit 0
         fi
       fi
       nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
       -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" >
"$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &

   Add the line
-Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
   \ within the $JAVA invocation such that the resulting section looks like
   this:

   start)
       echo  -n "Starting zookeeper ... "
       if [ -f $ZOOPIDFILE ]; then
         if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
            echo $command already running as process `cat $ZOOPIDFILE`.
            exit 0
         fi
       fi
       nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
       -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
\
       -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" >
"$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &

   3. Start ZooKeeper again.
   4. Log into ZooKeeper via zkCli.sh
   5. Declare yourself the root user with the following addauth command:

   addauth digest super:secret

   6. You should now be able to delete any node and/or change any ACL
   within the ZooKeeper system.


Note that you should *NOT* set this setting up on any production system.
If you need to set up a root user on a production system, you need to
create a different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff
above is a "digest") linked to a better password than "secret".  To make
your own digest, use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh
 script.

On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <keith@deenlo.com> wrote:

> Accumulo will work properly if you do not clean it before installing,
> because each time you init Accumulo it stores the information for the new
> instance under a new random uuid.  For the purpose of cleaning out old
> UUIDs, its possible each old UUID could have been created with a different
> password.   Maybe thats what happening in your case?  I can not remember if
> the syntax of your addauth command is correct.
>
>
> On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <ranjan_sen@hotmail.com>
> wrote:
>
>> Let me describe the scenario. Accumulo was installed earlier but has been
>> removed now. Before installing Accumulo I want to clean any ZK node related
>> to it.  Below please see the details.  I do not have any node called
>> 'instances' in ZK. As I could not use addauth and remove the nodes, I found
>> some doc on using skipACL=YES in zookeeper manual and was wondering if that
>> may enable me to clean.  Thanks for looking at it.
>>
>>   <property>
>>
>>     <name>instance.secret</name>
>>
>>     <value>DEFAULT</value>
>>
>>
>> [zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT
>>
>> [zk: localhost:2181(CONNECTED) 2] rmr /accumulo
>>
>> Authentication is not valid :
>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>
>> [zk: localhost:2181(CONNECTED) 3] ls /
>>
>> [accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm,
>> brokers, controller_epoch]
>>
>> [zk: localhost:2181(CONNECTED) 4] rmr
>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>
>> Authentication is not valid :
>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>
>>
>> [zk: localhost:2181(CONNECTED) 15] getAcl
>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users
>>
>> 'world,'anyone
>>
>> : r
>>
>> 'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=
>>
>> : cdrwa
>>
>>
>>
>>
>> > Date: Wed, 1 Oct 2014 22:29:42 -0400
>> > From: josh.elser@gmail.com
>> > To: user@accumulo.apache.org
>> > Subject: Re: Removing 'accumulo' from Zookeeper
>>
>> >
>> > You definitely want "addauth", not "setacl".
>> >
>> > "secret" is the value of instance.secret in accumulo-site.xml.
>> >
>> > craig w wrote:
>> > > I'd double check that "secret" is correct and perhaps do you mean to
>> > > use "addauth"?
>> > >
>> > > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <ranjan_sen@hotmail.com
>> > > <mailto:ranjan_sen@hotmail.com>> wrote:
>> > >
>> > > Hi Accumulo users,
>> > >
>> > > I have a accumulo znode that I want to remove from zookeeper. I
>> > > tried to use the
>> > >
>> > > setAcl digest accumulo:secret
>> > >
>> > > but it is not working when I try to remove it
>> > >
>> > > [zk: localhost:2181(CONNECTED) 11] rmr
>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>> > >
>> > > Authentication is not valid :
>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>> > >
>> > >
>> > > so I was thinking of using skipACL=YES that I saw in the zookeeper
>> > > documentation. Any idea if this can be used with zkCli.sh?
>> > >
>> > >
>> > > Ranjan
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > https://github.com/mindscratch
>> > > https://www.google.com/+CraigWickesser
>> > > https://twitter.com/mind_scratch
>> > > https://twitter.com/craig_links
>>
>
>


-- 

*Michael Allen*
Software Architect | Sqrrl-----------------------------------130
Prospect Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com
-----------------------------------

The information contained in this communication may be confidential,
subject to legal privilege, or otherwise protected from disclosure,
and is intended solely for the use of the intended recipient(s). If
you are not the intended recipient of this communication, please
destroy all copies in your possession, notify the sender that you have
received this communication in error, and note that any review or
dissemination of, or the taking of any action in reliance on, this
communication is expressly prohibited.  Please note that sqrrl data,
INC. reserves the right to intercept, monitor, and retain e-mail
messages to and from its systems as permitted by applicable law.

Mime
View raw message