zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Liwei.Sun" <liwei....@baifendian.com>
Subject 答复: Can't remove a znode because of ACL issue.
Date Sun, 01 Jul 2012 10:41:45 GMT
It need to restart the zk server to enable the super user, right? If so, it
won't help. Because the zk cluster is serving online. We can't stop and
restart the service.

Here are the things I did according to the document, but it didn't work.
My zk cluster contains 4 machines. I select one of them and change the
zookeeper/bin/zkCli.sh on it. A new line is added like the following code:

$JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
 
"-Dzookeeper.DigestAuthenticationProvider.superDigest='super:VQ6+KW+63miPakJ
Fh8f+1Gwv62s='" \   // this line is new added
     -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
     org.apache.zookeeper.ZooKeeperMain $@

super:VQ6+KW+63miPakJFh8f+1Gwv62s=  is the digest data.
Then I run ./zkCli.sh to connect to the server, and 
addauth digest super:<password>  

But I still can't change the ACL of /Apple/Boy znode because of ACL 
So, I guess I need to restart all the 4 zk servers to make the
zookeeper.DigestAuthenticationProvider.superDigest property taken into
effect.
Am I right?

Liwei

-----邮件原件-----
发件人: John Sirois [mailto:john.sirois@gmail.com] 
发送时间: 2012年6月29日 18:40
收件人: user@zookeeper.apache.org
抄送: user@zookeeper.apache.org; liwei.sun@baifendian.com
主题: Re: Can't remove a znode because of ACL issue.



Sent from my iPhone

On Jun 29, 2012, at 3:34 AM, sun liwei <sliveysun@gmail.com> wrote:

> I have the following znodes in zk:
> 
> /Apple/Boy/Cat
> 
> And the ACL of these three znodes are:
> 
> /                         world:anyone:cdrwa
> /App                   world:anyone:cdrwa
> /Apple/Boy          world:anyone:cdrwa
> /Apple/Boy/Cat    world:anyone:cdrwa
> 
> Then I change the ACL of /Apple/Boy znode from cdrwa to r (this is a
> mistake):
> 
> /                         world:anyone:cdrwa
> /App                   world:anyone:cdrwa
> /Apple/Boy          world:anyone:r
> /Apple/Boy/Cat    world:anyone:cdrwa
> 
> Now, I have a problem to delete the /Apple/Boy znode. Before 
> /Apple/Boy is deleted, I should delete /Apple/Boy/Cat, but 
> /Apple/Boy/Cat can't be deleted according to the ACL of /Apple/Boy which
is 'r' (readonly).
> 
> So, is there any way to delete the znode /Apple/Boy or recovery the 
> its ACL to 'cdrwa'?

You can fabricate super user credentials and then enable the super user in
your cluster's configs.  After rolling the cluster you can authenticate as
super and then do as you will with any node.  See
http://zookeeper.apache.org/doc/r3.2.2/zookeeperAdmin.html#sc_authOptions

> 
> Thanks in advance.
> Liwei


Mime
View raw message