zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Zimmerman <jor...@jordanzimmerman.com>
Subject Re: Zookeeper 3.5.3 reconfig blocked by ACL
Date Thu, 19 Oct 2017 11:59:13 GMT
FWIW - I've had this PR out for a while that makes this situation a lot easier by adding an
override. I'd love to see this merged:

https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779 <https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779>

-Jordan

> On Oct 18, 2017, at 2:29 AM, Michael Han <hanm@apache.org> wrote:
> 
>>> The way this is set up it seems only a superuser enabled cluster can use
> the reconfig command.
> 
> You can also configure the ACL associated with the "/config" znode so your
> chosen users have permission to both read and write the config znode, after
> they are authenticated (using your favorite authentication scheme built in
> ZK, such as SASL). This way you don't have to operate under the credential
> of superuser. By default, in 3.5.3 beta the "/config" znode is read only,
> which effectively disables reconfig API except for superuser who does not
> subject to ACL check.
> 
> On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <shralex@gmail.com> wrote:
> 
>> Hi,
>> 
>> Please look for "sc_reconfig_access_control"
>> Here:
>> https://github.com/apache/zookeeper/blob/master/docs/
>> zookeeperReconfig.html
>> 
>> Thanks,
>> Alex
>> 
>> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <c.turksema@gmail.com> wrote:
>> 
>>> I have a 3.5.3 cluster where I am trying out the reconfig command. I am
>>> running with reconfigEnabled=true.
>>> When I try reconfig I run into an issue with ACL.
>>> 
>>> [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
>>> Authentication is not valid :
>>> 
>>> The config node is protected:
>>> [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
>>> 'world,'anyone
>>> : r
>>> 
>>> 
>>> The way this is set up it seems only a superuser enabled cluster can use
>>> the
>>> reconfig command. Is that true, or am I missing something ? The
>>> documentation never mentioned it.
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>>> 
>> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message