accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Drob <md...@mdrob.com>
Subject Re: Removing 'accumulo' from Zookeeper
Date Thu, 02 Oct 2014 20:07:12 GMT
Michael,

These are great ZK instructions. Have you considered contributing them to
the project upstream? We can converse about this off-list if you'd prefer,
since it's not particularly germane to this topic.

Mike

On Thu, Oct 2, 2014 at 12:50 PM, Michael Allen <michael@sqrrl.com> wrote:

> I cut and paste a little fast there at the end, so obviously no one
> outside of Sqrrl has the "zk-digest.sh" script.  Here's that in all its
> gory detail:
>
> #!/bin/bash
>
> if [ -z ${ZOOKEEPER_HOME} ]; then
> echo "Set \$ZOOKEEPER_HOME before running this script"
> exit 4747
> fi
>
> if [ -z ${JAVA_HOME} ]; then
> echo "Set \$JAVA_HOME before running this script"
> exit 4747
> fi
>
> if [ $# -eq 0 ]; then
> echo "usage: zk-digest.sh <digest string>"
> echo ""
> echo "  Utility to produce authentication digests, such as you might see
> in ZooKeeper node ACL entries"
> echo ""
> echo "  Example: zk-digest.sh sqrrl:secret"
> exit 4747
> fi
>
> ZK_CLASSPATH="\
> ${ZOOKEEPER_HOME}/build/classes:\
> ${ZOOKEEPER_HOME}/build/lib/*.jar:\
> ${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:\
> ${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:\
> ${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:\
> ${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:\
> ${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:\
> ${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:\
> ${ZOOKEEPER_HOME}/src/java/lib/*.jar:\
> ${ZOOKEEPER_HOME}/conf\
> "
>
> ${JAVA_HOME}/bin/java -Dzookeeper.log.dir="." \
> -Dzookeeper.root.logger="INFO,CONSOLE" \
> -cp "${ZK_CLASSPATH}" \
> -Dcom.sun.management.jmxremote \
> -Dcom.sun.management.jmxremote.local.only=false \
> org.apache.zookeeper.server.auth.DigestAuthenticationProvider $*
>
> On Thu, Oct 2, 2014 at 1:48 PM, Michael Allen <michael@sqrrl.com> wrote:
>
>> Hi Ranjan.  If you're doing this on your own development node, or a
>> production node you're in full control of, you can add a root password to
>> ZooKeeper in order to blow away any nodes you like. Here's a little writeup
>> I did about it:
>>
>> ZooKeeper has security features built into it by way of access control
>> lists (ACLs) on nodes.  Once set, these ACLs can be very hard to get rid
>> of, especially if errant code has set up nodes that you no longer have any
>> password for.  This how-to guide shows you how to set up a root user inside
>> of ZooKeeper that can wipe out any ACLed node.
>> Step-by-step guide
>>
>>
>>
>>    1. Stop your currently running ZooKeeper.  This is either a direct $ZOOKEEPER_HOME/bin/zkServer.sh
>>    stop command or a sudo service zookeeper-server stop command on some
>>    systest boxes.
>>    2.
>>
>>    Edit zkServer.sh and in the following section:
>>
>>    start)
>>        echo  -n "Starting zookeeper ... "
>>        if [ -f $ZOOPIDFILE ]; then
>>          if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
>>             echo $command already running as process `cat $ZOOPIDFILE`.
>>             exit 0
>>          fi
>>        fi
>>        nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}"
\
>>        -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1
< /dev/null &
>>
>>    Add the line -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
>>    \ within the $JAVA invocation such that the resulting section looks
>>    like this:
>>
>>    start)
>>        echo  -n "Starting zookeeper ... "
>>        if [ -f $ZOOPIDFILE ]; then
>>          if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
>>             echo $command already running as process `cat $ZOOPIDFILE`.
>>             exit 0
>>          fi
>>        fi
>>        nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}"
\
>>        -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
\
>>        -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1
< /dev/null &
>>
>>    3. Start ZooKeeper again.
>>    4. Log into ZooKeeper via zkCli.sh
>>    5. Declare yourself the root user with the following addauth command:
>>
>>    addauth digest super:secret
>>
>>    6. You should now be able to delete any node and/or change any ACL
>>    within the ZooKeeper system.
>>
>>
>> Note that you should *NOT* set this setting up on any production
>> system.  If you need to set up a root user on a production system, you need
>> to create a different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff
>> above is a "digest") linked to a better password than "secret".  To make
>> your own digest, use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh
>>  script.
>>
>> On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <keith@deenlo.com> wrote:
>>
>>> Accumulo will work properly if you do not clean it before installing,
>>> because each time you init Accumulo it stores the information for the new
>>> instance under a new random uuid.  For the purpose of cleaning out old
>>> UUIDs, its possible each old UUID could have been created with a different
>>> password.   Maybe thats what happening in your case?  I can not remember if
>>> the syntax of your addauth command is correct.
>>>
>>>
>>> On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <ranjan_sen@hotmail.com>
>>> wrote:
>>>
>>>> Let me describe the scenario. Accumulo was installed earlier but has
>>>> been removed now. Before installing Accumulo I want to clean any ZK node
>>>> related to it.  Below please see the details.  I do not have any node
>>>> called 'instances' in ZK. As I could not use addauth and remove the nodes,
>>>> I found some doc on using skipACL=YES in zookeeper manual and was wondering
>>>> if that may enable me to clean.  Thanks for looking at it.
>>>>
>>>>   <property>
>>>>
>>>>     <name>instance.secret</name>
>>>>
>>>>     <value>DEFAULT</value>
>>>>
>>>>
>>>> [zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT
>>>>
>>>> [zk: localhost:2181(CONNECTED) 2] rmr /accumulo
>>>>
>>>> Authentication is not valid :
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>>
>>>> [zk: localhost:2181(CONNECTED) 3] ls /
>>>>
>>>> [accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm,
>>>> brokers, controller_epoch]
>>>>
>>>> [zk: localhost:2181(CONNECTED) 4] rmr
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>>
>>>> Authentication is not valid :
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>>
>>>>
>>>> [zk: localhost:2181(CONNECTED) 15] getAcl
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users
>>>>
>>>> 'world,'anyone
>>>>
>>>> : r
>>>>
>>>> 'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=
>>>>
>>>> : cdrwa
>>>>
>>>>
>>>>
>>>>
>>>> > Date: Wed, 1 Oct 2014 22:29:42 -0400
>>>> > From: josh.elser@gmail.com
>>>> > To: user@accumulo.apache.org
>>>> > Subject: Re: Removing 'accumulo' from Zookeeper
>>>>
>>>> >
>>>> > You definitely want "addauth", not "setacl".
>>>> >
>>>> > "secret" is the value of instance.secret in accumulo-site.xml.
>>>> >
>>>> > craig w wrote:
>>>> > > I'd double check that "secret" is correct and perhaps do you mean
>>>> to
>>>> > > use "addauth"?
>>>> > >
>>>> > > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <ranjan_sen@hotmail.com
>>>> > > <mailto:ranjan_sen@hotmail.com>> wrote:
>>>> > >
>>>> > > Hi Accumulo users,
>>>> > >
>>>> > > I have a accumulo znode that I want to remove from zookeeper. I
>>>> > > tried to use the
>>>> > >
>>>> > > setAcl digest accumulo:secret
>>>> > >
>>>> > > but it is not working when I try to remove it
>>>> > >
>>>> > > [zk: localhost:2181(CONNECTED) 11] rmr
>>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>> > >
>>>> > > Authentication is not valid :
>>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>> > >
>>>> > >
>>>> > > so I was thinking of using skipACL=YES that I saw in the zookeeper
>>>> > > documentation. Any idea if this can be used with zkCli.sh?
>>>> > >
>>>> > >
>>>> > > Ranjan
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > https://github.com/mindscratch
>>>> > > https://www.google.com/+CraigWickesser
>>>> > > https://twitter.com/mind_scratch
>>>> > > https://twitter.com/craig_links
>>>>
>>>
>>>
>>
>>
>> --
>>
>> *Michael Allen*
>> Software Architect | Sqrrl-----------------------------------130 Prospect Street
| Cambridge, MA 02139415.699.0106 | www.sqrrl.com
>> -----------------------------------
>>
>> The information contained in this communication may be confidential, subject to legal
privilege, or otherwise protected from disclosure, and is intended solely for the use of the
intended recipient(s). If you are not the intended recipient of this communication, please
destroy all copies in your possession, notify the sender that you have received this communication
in error, and note that any review or dissemination of, or the taking of any action in reliance
on, this communication is expressly prohibited.  Please note that sqrrl data, INC. reserves
the right to intercept, monitor, and retain e-mail messages to and from its systems as permitted
by applicable law.
>>
>>
>
>
> --
>
> *Michael Allen*
> Software Architect | Sqrrl-----------------------------------130 Prospect Street | Cambridge,
MA 02139415.699.0106 | www.sqrrl.com
> -----------------------------------
>
> The information contained in this communication may be confidential, subject to legal
privilege, or otherwise protected from disclosure, and is intended solely for the use of the
intended recipient(s). If you are not the intended recipient of this communication, please
destroy all copies in your possession, notify the sender that you have received this communication
in error, and note that any review or dissemination of, or the taking of any action in reliance
on, this communication is expressly prohibited.  Please note that sqrrl data, INC. reserves
the right to intercept, monitor, and retain e-mail messages to and from its systems as permitted
by applicable law.
>
>

Mime
View raw message