Return-Path: X-Original-To: apmail-curator-user-archive@minotaur.apache.org Delivered-To: apmail-curator-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9074810D1A for ; Tue, 5 Nov 2013 21:59:25 +0000 (UTC) Received: (qmail 41812 invoked by uid 500); 5 Nov 2013 21:59:25 -0000 Delivered-To: apmail-curator-user-archive@curator.apache.org Received: (qmail 41734 invoked by uid 500); 5 Nov 2013 21:59:25 -0000 Mailing-List: contact user-help@curator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@curator.apache.org Delivered-To: mailing list user@curator.apache.org Received: (qmail 41724 invoked by uid 99); 5 Nov 2013 21:59:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Nov 2013 21:59:25 +0000 X-ASF-Spam-Status: No, hits=1.8 required=5.0 tests=HTML_FONT_FACE_BAD,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of rkanter@cloudera.com designates 209.85.212.180 as permitted sender) Received: from [209.85.212.180] (HELO mail-wi0-f180.google.com) (209.85.212.180) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Nov 2013 21:59:18 +0000 Received: by mail-wi0-f180.google.com with SMTP id ey11so2808065wid.7 for ; Tue, 05 Nov 2013 13:58:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PX3g6w5T+VAQnPiQd3K4ABLKqkpg9wxJSBW3x+HQdI4=; b=Jg5aqVxFu8zQRuo9cI4ZPEyE41i+nBBPNAopm0hgFjtPN5BDNymspDh3/IXAcQ5u+a +zIq8odZIfiJ6LcmAm9ni3072aaZ4rh71LLaCG0J9i6RoYW3heq659NLac14a1NcldHl S8XC1bnKRpUgZP8gRaMuu183d7UD4XRsUlG5flvIh2vlfe6slK/qg7JIWD98d5I2joxg ehmnvD0BtVkDCEMeTixy2hoJXjckdHhDY9kjhjHFOwFDa3fnPDgwkj4Z5tpa1Kgkz07t dtrn3hTUPXjfbFXAS2N5Z5pmkvVNeZLyE9cYI6N5Ga9IGug2qbfopPljgP5UGJFmjWJC wydA== X-Gm-Message-State: ALoCoQmadtAzDybjegpCPeb4p8rn+xcbpgsGout7jRYSFQMSKg2cOzts9tbdlHErBphRVQ5X2Zyp MIME-Version: 1.0 X-Received: by 10.180.108.131 with SMTP id hk3mr18642203wib.10.1383688737878; Tue, 05 Nov 2013 13:58:57 -0800 (PST) Received: by 10.227.152.195 with HTTP; Tue, 5 Nov 2013 13:58:57 -0800 (PST) In-Reply-To: References: <9266DCBE-E2DE-47F3-8A48-6F4EFB007EAF@jordanzimmerman.com> Date: Tue, 5 Nov 2013 13:58:57 -0800 Message-ID: Subject: Re: Help with ACLProvider + Kerberos From: Robert Kanter To: user@curator.apache.org Cc: "user@curator.incubator.apache.org" Content-Type: multipart/alternative; boundary=e89a8f3ba34bb3918f04ea75237e X-Virus-Checked: Checked by ClamAV on apache.org --e89a8f3ba34bb3918f04ea75237e Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable I created the below test class using JUnit. It starts a TestingServer and connects to it; then it creates a path directly to verify that the custom ACLProvider is being applied. Then it tries to do the same with an InterProcessReadWriteLock and fails the test because its using the default ACLs. I used =93ip=94 instead of =93sasl=94 to keep things simpler. I did take a quick look at the Curator code and it seemed to be using the ACLProvider through the CuratorFramework when using locks, but perhaps I missed something (and I=92m not super familiar with the codebase). Please take a look; thanks! - Robert import java.util.Collections; import java.util.List; import junit.framework.TestCase; import org.apache.curator.RetryPolicy; import org.apache.curator.framework.CuratorFramework; import org.apache.curator.framework.CuratorFrameworkFactory; import org.apache.curator.framework.api.ACLProvider; import org.apache.curator.framework.recipes.locks.InterProcessMutex; import org.apache.curator.framework.recipes.locks.InterProcessReadWriteLock= ; import org.apache.curator.retry.ExponentialBackoffRetry; import org.apache.curator.test.TestingServer; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; public class TestLockACLs extends TestCase { private TestingServer zkServer; private CuratorFramework client; private final List acls =3D Collections.singletonList(new ACL(ZooDefs.Perms.ALL, new Id("ip", "127.0.0.1"))); @Override protected void setUp() throws Exception { super.setUp(); zkServer =3D new TestingServer(); createClient(); } @Override protected void tearDown() throws Exception { super.tearDown(); client.close(); zkServer.stop(); zkServer.close(); } private void createClient() throws Exception { RetryPolicy retryPolicy =3D new ExponentialBackoffRetry(1000, 3); String zkConnectionString =3D zkServer.getConnectString(); String zkNamespace =3D "ns"; client =3D CuratorFrameworkFactory.builder() .namespace(zkNamespace) .connectString(zkConnectionString) .retryPolicy(retryPolicy) .aclProvider(new MyACLProvider()) .build(); client.start(); } public void testLockACLs() throws Exception { // Create a path directly and verify that MyACLProvider is being used client.create().forPath("/foo"); assertNotNull(client.checkExists().forPath("/foo")); assertEquals(ZooDefs.Perms.ALL, client.getACL().forPath("/foo").get(0).getPerms()); assertEquals("ip", client.getACL().forPath("/foo").get(0).getId().getScheme()); assertEquals("127.0.0.1", client.getACL().forPath("/foo").get(0).getId().getId()); // Now try creating a lock and we'll see that it incorrectly has the default world ACLs // and doesn't seem to be using MyACLProvider InterProcessReadWriteLock lock =3D new InterProcessReadWriteLock(client, "/bar"); InterProcessMutex writeLock =3D lock.writeLock(); writeLock.acquire(); assertNotNull(client.checkExists().forPath("/bar")); assertEquals(ZooDefs.Perms.ALL, client.getACL().forPath("/bar").get(0).getPerms()); assertEquals("ip", client.getACL().forPath("/bar").get(0).getId().getScheme()); assertEquals("127.0.0.1", client.getACL().forPath("/bar").get(0).getId().getId()); } public class MyACLProvider implements ACLProvider { @Override public List getDefaultAcl() { return acls; } @Override public List getAclForPath(String path) { return acls; } } } On Mon, Nov 4, 2013 at 6:10 PM, Jordan Zimmerman wrote: > The ACLProvider should be called for every node created. It=92s not getti= ng > called? Can you produce a test that shows this? > > -Jordan > > On Nov 4, 2013, at 5:57 PM, Robert Kanter wrote: > > I have everything working now except for one thing: > The ACLProvider doesn=92t seem to be used for the locks (Curator=92s > InterProcessReadWriteLock); they are always created with the default > fully open ACLs. I know the ACLProvider is correct now because the > service discovery is using it and znodes created by it have the correct > ACLs. InterProcessReadWriteLock=92s constructor takes in the > CuratorFramework object, which has the ACLProvider set. > > Any ideas? > This sounds like it could be a Curator bug :( > I=92m not familiar with Curator=92s codebase, but I=92ll try to take a lo= ok and > see if I can figure it out. > > thanks > - Robert > > > > On Mon, Nov 4, 2013 at 1:09 PM, Robert Kanter wrote= : > >> I don=92t have it 100% working yet, but I=92ve figured out a lot more, s= o I >> thought I=92d share in case anyone else runs into this: >> >> The ZooDefs.Ids.CREATOR_ALL_ACL predefined ACL that I was trying to use >> is for the =93auth=94 scheme. For SASL/Kerberos, we want =93sasl=94. T= he >> javadoc for the predefined one wasn=92t very clear on that; I had to loo= k at >> the code. Using this is working: >> Collections.singletonList(new ACL(Perms.ALL, new Id("sasl", principal)))= ; >> >> I was also able to find answers to the three questions I asked: >> 1) Yes; looking through the code, its definitely grabbing the >> ACLProvider and using it. >> 2) Yes; I think the only way to do this is to recursively travel through >> the znodes under /oozie and apply the ACL on starting up Oozie. We >> should only have to do this if previously it was setup without security = and >> has since been reconfigured to use security; so we should only have to d= o >> this once. I can probably have a znode as a flag that states if >> everything has ACLs or not to make it more efficient >> 3) It doesn=92t look like it; I=92ll have to get the ZK client and do it >> from outside Curator >> >> >> - Robert >> >> >> On Mon, Oct 28, 2013 at 5:47 PM, Jordan Zimmerman < >> jordan@jordanzimmerman.com> wrote: >> >>> I don=92t have any experience with this. Curator doesn=92t do much - it= sets >>> up the ACL as the CLI options dictate. I do know that you also have to = do >>> work on the server side to make this work. >>> >>> -JZ >>> >>> On Oct 24, 2013, at 4:58 PM, Robert Kanter wrote= : >>> >>> Hi, >>> >>> Is there any documentation on using an ACLProvider and/or Kerberos? >>> >>> From what I gathered at various sites, to use Kerberos, all I have to d= o >>> is set the following properties before building the CuratorFramework cl= ient: >>> System.setProperty("java.security.auth.login.config", >>> "/path/to/jaasConfFile"); >>> >>> System.setProperty("zookeeper.authProvider.1","org.apache.zookeeper.ser= ver.auth.SASLAuthenticationProvider"); >>> System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client"= ); >>> Looking at the logs for the client and server, this appears to be >>> working properly and my program is connecting to ZooKeeper using Kerber= os. >>> >>> The problem I'm having is with the ACLs. >>> >>> I'd like to set the ACLs so that only the Kerberos user running the >>> program can do anything. From what I can tell, if I specify an >>> ACLProvider, then Curator will automatically use it for setting ACLs on >>> all paths. So, an ACLProvider like the following should do what I want= : >>> public class CreatorACLProvider implements ACLProvider { >>> @Override >>> public List getDefaultAcl() { >>> return ZooDefs.Ids.CREATOR_ALL_ACL; >>> } >>> @Override >>> public List getAclForPath(String path) { >>> return ZooDefs.Ids.CREATOR_ALL_ACL; >>> } >>> } >>> Then I would just do this: >>> client =3D CuratorFrameworkFactory.builder() >>> .namespace(zkNamespace) >>> .connectString(zkConnectionString) >>> .retryPolicy(retryPolicy) >>> .aclProvider(new CreatorACLProvider()) >>> .build(); >>> client.start(); >>> >>> However, this doesn't seem to be working. The zkcli returns this (on a >>> newly created znode): >>> [zk: localhost:2181(CONNECTED) 8] getAcl >>> /oozie/locks/0000000-131024162150146-oozie-oozi-W >>> 'world,'anyone >>> : Cdr. >>> Is there something that I missed? >>> >>> A few other questions: >>> 1) Will the ACLProvider cause the ACLs to be applied to znodes created >>> by the Curator recipes? (e.g. InterProcessReadWriteLock, >>> ServiceDiscovery, etc). If not, then how should I go about setting the >>> ACLs for these znodes? >>> 2) I'm guessing that the ACLProvider is only applied when creating the >>> znode, right; so existing znodes from before I added the ACLProviderwon= 't have the ACLs I want, right? What would be the best way to apply the >>> ACLs to any existing znodes that don't have it set? (My goal is to hav= e >>> all znodes under /oozie have the CREATOR_ALL_ACL) >>> 3) Is there a way to set the ACLs on the namespace itself (i.e. /oozie)= ? >>> The methods that take a path (and automatically prepend the namespace) >>> don't allow simply "/", so it seems like I'd have to use the ZooKeeper >>> client directly to set ACLs manually on the namespace. Or would simply >>> passing an empty string "" work? >>> >>> thanks >>> - Robert >>> >>> >>> >> > > --e89a8f3ba34bb3918f04ea75237e Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
I created the below test class using JUnit. =A0It starts a= TestingServer and connects to= it; then it creates a path directly to verify that the custom=A0ACLProvider is being applied. =A0Then it= tries to do the same with an InterPr= ocessReadWriteLock and fails the test because its using the default = ACLs. =A0I used =93ip=94 instead of =93sasl=94 to keep things simpler. =A0<= div>
I did take a quick look at the Curator code and it seemed to= be using the ACLProvider thro= ugh the CuratorFramework when = using locks, but perhaps I missed something (and I=92m not super familiar w= ith the codebase). =A0

Please take a look; thanks!
- Robert


import= java.util.Collections;
import java.util.List;
import junit.framework.TestCase;=
import org.apache.c= urator.RetryPolicy;
= import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framew= ork.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
<= div> import org.apache.curator.framework.r= ecipes.locks.InterProcessMutex;
import org.apache.curator.framework.recipes.locks.InterProcessR= eadWriteLock;
import org.apache.curator.retry.= ExponentialBackoffRetry;
import org.apache.curator.test.TestingServer;
import org.apache.zookeeper.ZooDefs;<= /div>
import org.apache.zookeeper.data= .ACL;

public class TestLockACLs extends TestCase {
=A0 =A0 private Testin= gServer zkServer;
=A0 =A0 private CuratorFramework= client;
=A0 =A0 pri= vate final List<ACL> acls =3D Collections.singletonList(new ACL(ZooDe= fs.Perms.ALL, new Id("ip", "127.0.0.1")));

=A0 =A0 @Override
=A0 =A0 protected void setUp() throws Exception= {
=A0 =A0 =A0 =A0 super.setUp();
=A0 =A0 =A0 =A0 zkSer= ver =3D new TestingServer();
=A0 =A0 =A0 =A0 createClient();
=A0 =A0 }

=A0 =A0 @Override
=A0 =A0 protected void tearDown() throws Exception {=
=A0 =A0 =A0 =A0 super.tearDown()= ;
=A0 =A0 =A0 =A0 cl= ient.close();
=A0 = =A0 =A0 =A0 zkServer.stop();
=A0 =A0 =A0 =A0 zkServer.close()= ;
=A0 =A0 }

=A0 =A0 private void createClient() throws = Exception {
=A0 =A0 =A0 =A0 RetryPolicy retr= yPolicy =3D new ExponentialBackoffRetry(1000, 3);
=A0 =A0 =A0 =A0 String zkConnectionString =3D= zkServer.getConnectString();
=A0 =A0 =A0 =A0 String zkNamespa= ce =3D "ns";
=A0 =A0 =A0 =A0 client =3D CuratorFrameworkFactory.builder()
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .namespace(zkNames= pace)
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .connectString(zkCo= nnectionString)
=A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 .retryPolicy(retryPolicy)
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .aclProvider(new My= ACLProvider())
=A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 .build();
=A0 =A0 =A0 =A0 client.start();<= /font>
=A0 =A0 }

=A0 =A0 public void testLockACLs() throws Exc= eption {
=A0 =A0 =A0 =A0 // Create a path= directly and verify that MyACLProvider is being used
=A0 =A0 =A0 =A0 client.create().forPath(&= quot;/foo");
=A0 =A0 =A0 =A0 assertNotNull(cl= ient.checkExists().forPath("/foo"));
=A0 =A0 =A0 =A0 assertEquals(ZooDefs.Perms.ALL,= client.getACL().forPath("/foo").get(0).getPerms());
=A0 =A0 =A0 =A0 assertEquals(&qu= ot;ip", client.getACL().forPath("/foo").get(0).getId().getSc= heme());
=A0 =A0 =A0= =A0 assertEquals("127.0.0.1", client.getACL().forPath("/foo= ").get(0).getId().getId());

=A0 =A0 =A0 =A0 // Now try creating a lock and = we'll see that it incorrectly has the default world ACLs
=A0 =A0 =A0 =A0 // and doesn't= seem to be using MyACLProvider
=A0 =A0 =A0 =A0 InterProcessRead= WriteLock lock =3D new InterProcessReadWriteLock(client, "/bar");=
=A0 =A0 =A0 =A0 Int= erProcessMutex writeLock =3D lock.writeLock();
=A0 =A0 =A0 =A0 writeLock.acquir= e();
=A0 =A0 =A0 =A0= assertNotNull(client.checkExists().forPath("/bar"));
=A0 =A0 =A0 =A0 assertEquals(Zo= oDefs.Perms.ALL, client.getACL().forPath("/bar").get(0).getPerms(= ));
=A0 =A0 =A0 =A0 assertEquals(&qu= ot;ip", client.getACL().forPath("/bar").get(0).getId().getSc= heme());
=A0 =A0 =A0= =A0 assertEquals("127.0.0.1", client.getACL().forPath("/bar= ").get(0).getId().getId());
=A0 =A0 }

=A0 =A0 public class MyACLProvider implements ACLProvider= {

=A0 =A0 =A0 =A0 @Override
=A0 =A0 =A0 =A0 public List<ACL> ge= tDefaultAcl() {
=A0 =A0 =A0 =A0 =A0 =A0 return a= cls;
=A0 =A0 =A0 =A0= }

=
=A0 =A0 =A0 =A0 @Override=
=A0 =A0 =A0 =A0 public List<A= CL> getAclForPath(String path) {
=A0 =A0 =A0 =A0 =A0 =A0 return acls;
=A0 =A0 =A0 =A0 }
=A0 =A0 }
}


On Mon, Nov 4, 2013 at = 6:10 PM, Jordan Zimmerman <jordan@jordanzimmerman.com> wrote:
The=A0AC= LProvider should be called for every node created. It=92s not getting calle= d? Can you produce a test that shows this?

-Jordan

<= div>
On Nov 4, 2013, at 5:57 PM, Robert Kanter <rkanter@cloudera.com> wrote:
I have everything working no= w except for one thing:
The ACLPr= ovider doesn=92t seem to be used for the locks (Curator=92s InterProcessReadWriteLock); they are a= lways created with the default fully open ACLs. =A0I know the ACLProvider is correct now because the serv= ice discovery is using it and znodes created by it have the correct ACLs. = =A0InterProcessReadWriteLock= =92s constructor takes in the Curator= Framework object, which has the

On Mon, Nov 4, 2013 at 1:09 PM,= Robert Kanter <rkanter@cloudera.com> wrote:
I don=92t have it 100% work= ing yet, but I=92ve figured out a lot more, so I thought I=92d share in cas= e anyone else runs into this:

The=A0ZooDefs.Ids.CREA= TOR_ALL_ACL predefined ACL that I was trying to use is for the =93auth=94 scheme. =A0For SASL/Kerb= eros, we want =93sasl=94. =A0T= he javadoc for the predefined one wasn=92t very clear on that; I had to loo= k at the code. =A0Using this is working:
Collections.singletonList(new AC= L(Perms.ALL, new Id("sasl", principal)));
I was also able to find answers to the three questions I asked= :
1)=A0Yes; looking= through the code, its definitely grabbing the ACLProvider and using it.
2) Yes;= I think the only way to do this is to recursively travel through the znode= s under /oozie and apply the ACL on starting up Oozie.=A0 We should only have to do this if previously it= was setup without security and has since been reconfigured to use security= ; so we should only have to do this once.=A0 I can probably have a znode as a flag that states if everyth= ing has ACLs or not to make it more efficient
3)=A0It doesn=92t look like it; = I=92ll have to get the ZK client and do it from outside Curator

=
- Rober= t


On Mon, Oct 28, 2013 at 5:47 PM, Jordan Zimmerman <jordan@jordanz= immerman.com> wrote:
I don=92t have any experience with this= . Curator doesn=92t do much - it sets up the ACL as the CLI options dictate= . I do know that you also have to do work on the server side to make this w= ork.

-JZ

On Oct 24, 2013, a= t 4:58 PM, Robert Kanter <rkanter@cloudera.com> wrote:

Hi,

Is there = any documentation on using an ACLProvider and/or Kerberos? =A0

From wh= at I gathered at various sites, to use Kerberos, all I have to do is set th= e following properties before building the CuratorFramework client:
System.setPropert= y("java.security.auth.login.config", "/path/to/jaasConfFile&= quot;);
System.setProperty(Zoo= KeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
<= /div>
Looking at the logs for the client and server, this appears to be= working properly and my program is connecting to ZooKeeper using Kerberos.= =A0

The problem I'm having is with the ACLs. =A0
<= div>=A0
I'd like to set the ACLs so that only the Kerberos us= er running the program can do anything. =A0From what I can tell, if I speci= fy an ACLProvider, t= hen Curator will automatically use it for setting ACLs on all paths. =A0So,= an ACLProvider like= the following should do what I want:
public class Crea= torACLProvider implements ACLProvider {
=A0 =A0@Override
=A0 =A0=A0= public List<ACL&g= t; getDefaultAcl() {
=A0 =A0=A0= =A0 =A0= =A0retur= n ZooDefs.Ids.CREATOR_ALL_ACL;
=A0 =A0}
=A0 =A0@Override
=A0 =A0=A0= public L= ist<ACL> getAclForPath(String path) {
=A0 =A0=A0= =A0 =A0= =A0retur= n ZooDefs.Ids.CREATOR_ALL_ACL;
=A0 =A0}
}
Then I would just do this:
client =3D CuratorFrameworkFactory.builder()
=A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .namespace(zkNamespace)=
=A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .connectString(zkConnectionStri= ng)
=A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .retryPolicy(re= tryPolicy)
=A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .aclProvider(new CreatorACLProv= ider())
= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 .build();
client.start();=

However, this doesn't seem to be workin= g. =A0The zkcli returns this (on a newly created znode):
[zk: localhost:21= 81(CONNECTED) 8] getAcl /oozie/locks/0000000-131024162150146-oozie-oozi-W
'world,= 'anyone
: Cdr.
Is there something that I missed? =A0

A fe= w other questions:
1) Will the ACLProvider cause the ACLs to be applied to znodes cre= ated by the Curator recipes? =A0(e.g. InterProcessReadWriteLock, ServiceDiscovery, etc). =A0If not, then how should= I go about setting the ACLs for these znodes? =A0
2) I'm guessing that the ACLProvider is only applied when creating the znode, right; s= o existing znodes from before I added the ACLProvider won't have the ACLs I want, right? = =A0What would be the best way to apply the ACLs to any existing znodes that= don't have it set? =A0(My goal is to have all znodes under /oozie have the CREATOR_ALL_ACL)
3) Is there a way to set the ACLs on the namespace itself (i.e. /oozie)? =A0The methods th= at take a path (and automatically prepend the namespace) don't allow si= mply "/", = so it seems like I'd have to use the ZooKeeper client directly to set A= CLs manually on the namespace. =A0Or would simply passing an empty string <= font face=3D"'courier new', monospace">"" work?

thanks
- Robert






--e89a8f3ba34bb3918f04ea75237e--