zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raúl Gutiérrez Segalés <...@itevenworks.net>
Subject Re: Can not setAcl a znode
Date Mon, 28 Sep 2015 03:23:10 GMT
On 27 September 2015 at 19:37, Tao Xiao <xiaotao.cs.nju@gmail.com> wrote:

> I'm using CDH 5.3, which has ZooKeeper 3.4.5 in it. I configured Kerberos
> for the CDH cluster and later disabled Kerberos because of some problems.
>
> After disabling Kerberos I tried restarting the cluster but the HBase
> Master failed to start. I checked the log and found it reported the
> following exception:
>
> baseZNode=/hbase Unable to get data of znode
>
> /hbase/splitWAL/WALs%2Fhadoop3.com%2C60020%2C1442886930815-splitting%2Fhadoop3.com%252C60020%252C1442886930815.1442886937853.meta
>
>
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode
> = NoAuth for
> /hbase/splitWAL/WALs%2Fhadoop3.com%2C60020%2C1442886930815-splitting%2Fhadoop3.com%252C60020%252C1442886930815.1442886937853.meta
>
>
> I checked the ACL of the znode above using the following command:
>
> getACl <the-znode-above>
>
>
> The result is:
>            'sasl,'hbase
>
> : cdrwa
>
> I tried to setAcl that znode and use the following command:
>
> setAcl  <the-znode-above>   world:anyone:cdrwa
>
> but failed with the message of "Authentication is not valid" .
>
>
> So it must be a permission related problem.
> How can I authenticate myself and then change the permission of that znode
> so that HBase master can get data of it ?
> Or how can I remove its current privilege and make it accessible by anyone
> in the world?
>
> Thanks.
>

You can enable the super user (i.e.: admin). If you start the servers with
zookeeper.DigestAuthenticationProvider.superDigest, see:

http://zookeeper.apache.org/doc/r3.4.5/zookeeperAdmin.html

Once that's enabled, you can do something like (the example is for
zk-shell: https://github.com/rgs1/zk_shell):

$ zk-shell server:2181
(CONNECTED) /> add_auth digest super:s3cr3t
(CONNECTED) /> set_acls /the/path 'world:anyone:crdwa'


-rgs

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message