curator-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Kanter <>
Subject Help with ACLProvider + Kerberos
Date Thu, 24 Oct 2013 23:58:20 GMT

Is there any documentation on using an ACLProvider and/or Kerberos?

>From what I gathered at various sites, to use Kerberos, all I have to do is
set the following properties before building the CuratorFramework client:
System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
Looking at the logs for the client and server, this appears to be working
properly and my program is connecting to ZooKeeper using Kerberos.

The problem I'm having is with the ACLs.

I'd like to set the ACLs so that only the Kerberos user running the program
can do anything.  From what I can tell, if I specify an ACLProvider, then
Curator will automatically use it for setting ACLs on all paths.  So, an
ACLProvider like the following should do what I want:
public class CreatorACLProvider implements ACLProvider {
    public List<ACL> getDefaultAcl() {
        return ZooDefs.Ids.CREATOR_ALL_ACL;
    public List<ACL> getAclForPath(String path) {
        return ZooDefs.Ids.CREATOR_ALL_ACL;
Then I would just do this:
client = CuratorFrameworkFactory.builder()
                                .aclProvider(new CreatorACLProvider())

However, this doesn't seem to be working.  The zkcli returns this (on a
newly created znode):
[zk: localhost:2181(CONNECTED) 8] getAcl
: Cdr.
Is there something that I missed?

A few other questions:
1) Will the ACLProvider cause the ACLs to be applied to znodes created by
the Curator recipes?  (e.g. InterProcessReadWriteLock, ServiceDiscovery,
etc).  If not, then how should I go about setting the ACLs for these
2) I'm guessing that the ACLProvider is only applied when creating the
znode, right; so existing znodes from before I added the ACLProvider won't
have the ACLs I want, right?  What would be the best way to apply the ACLs
to any existing znodes that don't have it set?  (My goal is to have all
znodes under /oozie have the CREATOR_ALL_ACL)
3) Is there a way to set the ACLs on the namespace itself (i.e. /oozie)?
 The methods that take a path (and automatically prepend the namespace)
don't allow simply "/", so it seems like I'd have to use the ZooKeeper
client directly to set ACLs manually on the namespace.  Or would simply
passing an empty string "" work?

- Robert

View raw message