zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sun liwei <slivey...@gmail.com>
Subject Re: 答复: Can't remove a znode because of ACL issue.
Date Tue, 03 Jul 2012 02:55:54 GMT
Many thanks to John.

On Mon, Jul 2, 2012 at 11:14 AM, John Sirois <john.sirois@gmail.com> wrote:

> On Sun, Jul 1, 2012 at 4:41 AM, Liwei.Sun <liwei.sun@baifendian.com>
> wrote:
>
> > It need to restart the zk server to enable the super user, right? If so,
> it
> > won't help. Because the zk cluster is serving online. We can't stop and
> > restart the service.
> >
>
> Assuming you have a quorum of >= 3 nodes, you should be able to slow roll
> the nodes to propagate this change to all members and still keep the
> cluster on-line as long as clients are properly configured with all quorum
> hosts.


I changed the zkServer.sh of the observer server, restarted the server
and connected to it. The super user works well. I can change the ACL of any
nodes.
So, my problem is resolved.
But if I connect to any other servers with zkCli.sh, the super user does
not work.


>
> > Here are the things I did according to the document, but it didn't work.
> > My zk cluster contains 4 machines. I select one of them and change the
> >
>
> This is an aside, but are all 4 quorum peers or is 1 an observer or
> read-only node?  Typically you'd want an odd number of quorum participating
> nodes.
>
you are right, one of them is observer.

>
>
> > zookeeper/bin/zkCli.sh on it. A new line is added like the following
> code:
> >
> > $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
> > "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
> >
> >
> >
> "-Dzookeeper.DigestAuthenticationProvider.superDigest='super:VQ6+KW+63miPakJ
> > Fh8f+1Gwv62s='" \   // this line is new added
> >      -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
> >      org.apache.zookeeper.ZooKeeperMain $@
> >
> > super:VQ6+KW+63miPakJFh8f+1Gwv62s=  is the digest data.
> > Then I run ./zkCli.sh to connect to the server, and
> > addauth digest super:<password>
> >
> > But I still can't change the ACL of /Apple/Boy znode because of ACL
> > So, I guess I need to restart all the 4 zk servers to make the
> > zookeeper.DigestAuthenticationProvider.superDigest property taken into
> > effect.
> > Am I right?
>
>
> I believe you are (I applied this change to all my quorum peers in a slow
> roll and only when complete tried the super user account) - but I have not
> either tried just modifying the config for one peer and connecting to it
> nor have I read this bit of zk server code.
>
>
> > Liwei
> >
> > -----邮件原件-----
> > 发件人: John Sirois [mailto:john.sirois@gmail.com]
> > 发送时间: 2012年6月29日 18:40
> > 收件人: user@zookeeper.apache.org
> > 抄送: user@zookeeper.apache.org; liwei.sun@baifendian.com
> > 主题: Re: Can't remove a znode because of ACL issue.
> >
> >
> >
> > Sent from my iPhone
> >
> > On Jun 29, 2012, at 3:34 AM, sun liwei <sliveysun@gmail.com> wrote:
> >
> > > I have the following znodes in zk:
> > >
> > > /Apple/Boy/Cat
> > >
> > > And the ACL of these three znodes are:
> > >
> > > /                         world:anyone:cdrwa
> > > /App                   world:anyone:cdrwa
> > > /Apple/Boy          world:anyone:cdrwa
> > > /Apple/Boy/Cat    world:anyone:cdrwa
> > >
> > > Then I change the ACL of /Apple/Boy znode from cdrwa to r (this is a
> > > mistake):
> > >
> > > /                         world:anyone:cdrwa
> > > /App                   world:anyone:cdrwa
> > > /Apple/Boy          world:anyone:r
> > > /Apple/Boy/Cat    world:anyone:cdrwa
> > >
> > > Now, I have a problem to delete the /Apple/Boy znode. Before
> > > /Apple/Boy is deleted, I should delete /Apple/Boy/Cat, but
> > > /Apple/Boy/Cat can't be deleted according to the ACL of /Apple/Boy
> which
> > is 'r' (readonly).
> > >
> > > So, is there any way to delete the znode /Apple/Boy or recovery the
> > > its ACL to 'cdrwa'?
> >
> > You can fabricate super user credentials and then enable the super user
> in
> > your cluster's configs.  After rolling the cluster you can authenticate
> as
> > super and then do as you will with any node.  See
> >
> http://zookeeper.apache.org/doc/r3.2.2/zookeeperAdmin.html#sc_authOptions
> >
> > >
> > > Thanks in advance.
> > > Liwei
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message