curator-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Zimmerman <>
Subject Re: Help with ACLProvider + Kerberos
Date Tue, 29 Oct 2013 00:47:39 GMT
I don’t have any experience with this. Curator doesn’t do much - it sets up the ACL as
the CLI options dictate. I do know that you also have to do work on the server side to make
this work.


On Oct 24, 2013, at 4:58 PM, Robert Kanter <> wrote:

> Hi,
> Is there any documentation on using an ACLProvider and/or Kerberos?  
> From what I gathered at various sites, to use Kerberos, all I have to do is set the following
properties before building the CuratorFramework client:
> System.setProperty("", "/path/to/jaasConfFile");
> System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
> System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
> Looking at the logs for the client and server, this appears to be working properly and
my program is connecting to ZooKeeper using Kerberos.  
> The problem I'm having is with the ACLs.  
> I'd like to set the ACLs so that only the Kerberos user running the program can do anything.
 From what I can tell, if I specify an ACLProvider, then Curator will automatically use it
for setting ACLs on all paths.  So, an ACLProvider like the following should do what I want:
> public class CreatorACLProvider implements ACLProvider {
>    @Override
>     public List<ACL> getDefaultAcl() {
>         return ZooDefs.Ids.CREATOR_ALL_ACL;
>    }
>    @Override
>     public List<ACL> getAclForPath(String path) {
>         return ZooDefs.Ids.CREATOR_ALL_ACL;
>    }
> }
> Then I would just do this:
> client = CuratorFrameworkFactory.builder()
>                                 .namespace(zkNamespace)
>                                 .connectString(zkConnectionString)
>                                 .retryPolicy(retryPolicy)
>                                 .aclProvider(new CreatorACLProvider())
>                                 .build();
> client.start();
> However, this doesn't seem to be working.  The zkcli returns this (on a newly created
> [zk: localhost:2181(CONNECTED) 8] getAcl /oozie/locks/0000000-131024162150146-oozie-oozi-W
> 'world,'anyone
> : Cdr.
> Is there something that I missed?  
> A few other questions:
> 1) Will the ACLProvider cause the ACLs to be applied to znodes created by the Curator
recipes?  (e.g. InterProcessReadWriteLock, ServiceDiscovery, etc).  If not, then how should
I go about setting the ACLs for these znodes?  
> 2) I'm guessing that the ACLProvider is only applied when creating the znode, right;
so existing znodes from before I added the ACLProvider won't have the ACLs I want, right?
 What would be the best way to apply the ACLs to any existing znodes that don't have it set?
 (My goal is to have all znodes under /oozie have the CREATOR_ALL_ACL)
> 3) Is there a way to set the ACLs on the namespace itself (i.e. /oozie)?  The methods
that take a path (and automatically prepend the namespace) don't allow simply "/", so it seems
like I'd have to use the ZooKeeper client directly to set ACLs manually on the namespace.
 Or would simply passing an empty string "" work?
> thanks
> - Robert

View raw message