zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Megha Sharma <megha.hitesh.ka...@gmail.com>
Subject Re: Setting acls in Zookeeper
Date Wed, 08 Feb 2017 22:04:58 GMT
Addition to my previous mail.

>From the zookeeper doc, I understand that you don't need to provide id for
auth scheme but if you just do
"setAcl /znode auth:crdwa" with zkCli then it complains that auth:crdwa
does not have the form scheme:id:perm so I have been using the two
approaches where I leave the id part for auth either empty "setAcl /mesos
auth::cdrwa" or provide the id "setAcl /mesos auth:zk:cdrwa" so I am not
sure which one correctly translates to ZOO_AUTH_IDS.

Thanks
Megha

>From the doc

On Wed, Feb 8, 2017 at 1:35 PM, Megha Sharma <megha.hitesh.kapil@gmail.com>
wrote:

> Thanks Jordan,
> that was very helpful indeed!
> So, setAcl is the only thing that matters in terms of setting acls for
> zookeeper.
>
> My next question is very zkCli specific.
>
> One of the softwares I am running sets acls ZOO_AUTH_IDS +
> ZOO_READ_ACL_UNSAFE programmatically while creating the new znode and I
> have to mimic the auth it sets using zkCli.
>
> That means I have to translate ZOO_AUTH_IDS ((‘auth’,’’), ZOO_AUTH_IDS
> empty identity string should be interpreted as “the identity of the
> creator”.) to scheme:id:perm for zkCli. I tried two different setAcls
>
> 1) setAcl /mesos auth:zk:cdrwa (where zk is my id and in auth scheme you
> don't need pwd)
>
> 2) setAcl /mesos auth::cdrwa
>
> Only the second one gives me ‘auth’,’’ (empty string). Is this how you set
> ZOO_AUTH_IDS with zkCli?
>
> Thanks
> Megha
>
>
>
>
>
>
>
>
> On Wed, Feb 8, 2017 at 12:03 PM, Jordan Zimmerman <
> jordan@jordanzimmerman.com> wrote:
>
>> AddAuth sets the authorization value for the current connection. It's the
>> client-side portion of the ACL spec. What you want is "setAcl".
>>
>>         setAcl [-s] [-v version] path acl
>>
>> -Jordan
>>
>> > On Feb 8, 2017, at 1:52 PM, Megha Sharma <megha.hitesh.kapil@gmail.com>
>> wrote:
>> >
>> > Thanks Jordan
>> > That was my understanding as well, wanted to make sure that setting acls
>> > doesn't need zkServer restart. The way I am setting the acls could be
>> > faulty then, I am trying to set the acl ZOO_AUTH_IDS and
>> > ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc,
>> ZOO_AUTH_IDS
>> > translates to (‘auth’,’’) and empty identity string should be
>> interpreted
>> > as “the identity of the creator”. I have tried both empty identity
>> string
>> > (2) and with credentials (1) with zkCli and I am not sure which is the
>> > correct way of achieving ZOO_AUTH_IDS.
>> >
>> >
>> > 1) addauth digest user:pwd
>> >    setAcl /mesos world:anyone:r,auth::crdwa
>> >
>> > 2) addauth digest user:pwd
>> >    setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
>> >
>> > Thanks
>> > Megha
>> >
>> >
>> > On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman <
>> jordan@jordanzimmerman.com
>> >> wrote:
>> >
>> >>> I have been trying to set acls with zkCli and it seems like the acls
>> >> don’t
>> >>> take effect until all the zkServers are restarted. Do the acls need
>> >>> zkServer restart?
>> >>
>> >> No. ACL changes take effect immediately. It's a ZNode modification like
>> >> any other. Do you have an example of the problem?
>> >>
>> >> -Jordan
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message