Return-Path: 
 <user-return-5258-apmail-zookeeper-user-archive=zookeeper.apache.org@zookeeper.apache.org>
X-Original-To: apmail-zookeeper-user-archive@www.apache.org
Delivered-To: apmail-zookeeper-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BFE7CD624
	for <apmail-zookeeper-user-archive@www.apache.org>;
 Mon,  2 Jul 2012 04:53:46 +0000 (UTC)
Received: (qmail 65204 invoked by uid 500); 2 Jul 2012 04:53:45 -0000
Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org
Received: (qmail 65131 invoked by uid 500); 2 Jul 2012 04:53:44 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Delivered-To: moderator for user@zookeeper.apache.org
Received: (qmail 64835 invoked by uid 99); 1 Jul 2012 10:45:20 -0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=FSL_RCVD_USER,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of liwei.sun@baifendian.com
 designates 211.151.57.164 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=baifendian.com;
	 h=content-language:x-mailer:content-transfer-encoding
	:content-type:content-type:mime-version:message-id:date:date
	:subject:subject:in-reply-to:references:to:from:from; s=dkim; t=
	1341139510; x=1342003510; bh=m5zi9Of3pXAVOH2VDz7+hnJgHE/tiLlrTQf
	GvXGk1WU=; b=KAt0Id9fVtgt+NrC8M4/VP+8cvfzDf5btkCvbsHJ6wmFB8yIDsH
	UHfTki0YeWIzoI1ZeKnG5SIQtka7Q3TtZ6UDpAq+Q6bks7UoLt/fztGuRzBet9Fe
	ZK/gYBroZCQ4MBL0klMSoHLNxaxYXMynoHyttIFIU6w5Eeec+bw4cOFM=
From: "Liwei.Sun" <liwei.sun@baifendian.com>
To: "'John Sirois'" <john.sirois@gmail.com>,
	<user@zookeeper.apache.org>
Cc: <user@zookeeper.apache.org>
References: 
 <CAH+_2-kcNb9HB7MuBW1OFbubnMwQPKxdokWTaNwFmiarPHummw@mail.gmail.com>
 <1078565A-639F-4BC6-9C52-66EA92C1CE1D@gmail.com>
In-Reply-To: <1078565A-639F-4BC6-9C52-66EA92C1CE1D@gmail.com>
Subject: =?gb2312?B?tPC4tDogQ2FuJ3QgcmVtb3ZlIGEgem5vZGUgYmVjYXVzZSBvZiBBQw==?=
	=?gb2312?B?TCBpc3N1ZS4=?=
Date: Sun, 1 Jul 2012 18:41:45 +0800
Message-ID: <003a01cd5776$1d96ec40$58c4c4c0$@baifendian.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGcoAxiJ1HlZjOE8/MDF8UiddyVXgKjkYP5l2CPilA=
Content-Language: zh-cn
X-Virus-Checked: Checked by ClamAV on apache.org

It need to restart the zk server to enable the super user, right? If so, =
it
won't help. Because the zk cluster is serving online. We can't stop and
restart the service.

Here are the things I did according to the document, but it didn't work.
My zk cluster contains 4 machines. I select one of them and change the
zookeeper/bin/zkCli.sh on it. A new line is added like the following =
code:

$JAVA "-Dzookeeper.log.dir=3D${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=3D${ZOO_LOG4J_PROP}" \
=20
"-Dzookeeper.DigestAuthenticationProvider.superDigest=3D'super:VQ6+KW+63m=
iPakJ
Fh8f+1Gwv62s=3D'" \   // this line is new added
     -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
     org.apache.zookeeper.ZooKeeperMain $@

super:VQ6+KW+63miPakJFh8f+1Gwv62s=3D  is the digest data.
Then I run ./zkCli.sh to connect to the server, and=20
addauth digest super:<password> =20

But I still can't change the ACL of /Apple/Boy znode because of ACL=20
So, I guess I need to restart all the 4 zk servers to make the
zookeeper.DigestAuthenticationProvider.superDigest property taken into
effect.
Am I right?

Liwei

-----=D3=CA=BC=FE=D4=AD=BC=FE-----
=B7=A2=BC=FE=C8=CB: John Sirois [mailto:john.sirois@gmail.com]=20
=B7=A2=CB=CD=CA=B1=BC=E4: 2012=C4=EA6=D4=C229=C8=D5 18:40
=CA=D5=BC=FE=C8=CB: user@zookeeper.apache.org
=B3=AD=CB=CD: user@zookeeper.apache.org; liwei.sun@baifendian.com
=D6=F7=CC=E2: Re: Can't remove a znode because of ACL issue.



Sent from my iPhone

On Jun 29, 2012, at 3:34 AM, sun liwei <sliveysun@gmail.com> wrote:

> I have the following znodes in zk:
>=20
> /Apple/Boy/Cat
>=20
> And the ACL of these three znodes are:
>=20
> /                         world:anyone:cdrwa
> /App                   world:anyone:cdrwa
> /Apple/Boy          world:anyone:cdrwa
> /Apple/Boy/Cat    world:anyone:cdrwa
>=20
> Then I change the ACL of /Apple/Boy znode from cdrwa to r (this is a
> mistake):
>=20
> /                         world:anyone:cdrwa
> /App                   world:anyone:cdrwa
> /Apple/Boy          world:anyone:r
> /Apple/Boy/Cat    world:anyone:cdrwa
>=20
> Now, I have a problem to delete the /Apple/Boy znode. Before=20
> /Apple/Boy is deleted, I should delete /Apple/Boy/Cat, but=20
> /Apple/Boy/Cat can't be deleted according to the ACL of /Apple/Boy =
which
is 'r' (readonly).
>=20
> So, is there any way to delete the znode /Apple/Boy or recovery the=20
> its ACL to 'cdrwa'?

You can fabricate super user credentials and then enable the super user =
in
your cluster's configs.  After rolling the cluster you can authenticate =
as
super and then do as you will with any node.  See
http://zookeeper.apache.org/doc/r3.2.2/zookeeperAdmin.html#sc_authOptions=


>=20
> Thanks in advance.
> Liwei