zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Megha Sharma <megha.hitesh.ka...@gmail.com>
Subject Re: Setting acls in Zookeeper
Date Wed, 08 Feb 2017 21:35:47 GMT
Thanks Jordan,
that was very helpful indeed!
So, setAcl is the only thing that matters in terms of setting acls for
zookeeper.

My next question is very zkCli specific.

One of the softwares I am running sets acls ZOO_AUTH_IDS +
ZOO_READ_ACL_UNSAFE programmatically while creating the new znode and I
have to mimic the auth it sets using zkCli.

That means I have to translate ZOO_AUTH_IDS ((‘auth’,’’), ZOO_AUTH_IDS
empty identity string should be interpreted as “the identity of the
creator”.) to scheme:id:perm for zkCli. I tried two different setAcls

1) setAcl /mesos auth:zk:cdrwa (where zk is my id and in auth scheme you
don't need pwd)

2) setAcl /mesos auth::cdrwa

Only the second one gives me ‘auth’,’’ (empty string). Is this how you set
ZOO_AUTH_IDS with zkCli?

Thanks
Megha








On Wed, Feb 8, 2017 at 12:03 PM, Jordan Zimmerman <
jordan@jordanzimmerman.com> wrote:

> AddAuth sets the authorization value for the current connection. It's the
> client-side portion of the ACL spec. What you want is "setAcl".
>
>         setAcl [-s] [-v version] path acl
>
> -Jordan
>
> > On Feb 8, 2017, at 1:52 PM, Megha Sharma <megha.hitesh.kapil@gmail.com>
> wrote:
> >
> > Thanks Jordan
> > That was my understanding as well, wanted to make sure that setting acls
> > doesn't need zkServer restart. The way I am setting the acls could be
> > faulty then, I am trying to set the acl ZOO_AUTH_IDS and
> > ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc, ZOO_AUTH_IDS
> > translates to (‘auth’,’’) and empty identity string should be interpreted
> > as “the identity of the creator”. I have tried both empty identity string
> > (2) and with credentials (1) with zkCli and I am not sure which is the
> > correct way of achieving ZOO_AUTH_IDS.
> >
> >
> > 1) addauth digest user:pwd
> >    setAcl /mesos world:anyone:r,auth::crdwa
> >
> > 2) addauth digest user:pwd
> >    setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa
> >
> > Thanks
> > Megha
> >
> >
> > On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman <
> jordan@jordanzimmerman.com
> >> wrote:
> >
> >>> I have been trying to set acls with zkCli and it seems like the acls
> >> don’t
> >>> take effect until all the zkServers are restarted. Do the acls need
> >>> zkServer restart?
> >>
> >> No. ACL changes take effect immediately. It's a ZNode modification like
> >> any other. Do you have an example of the problem?
> >>
> >> -Jordan
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message