zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Han <h...@apache.org>
Subject Re: Zookeeper 3.5.3 reconfig blocked by ACL
Date Wed, 18 Oct 2017 00:29:12 GMT
>> The way this is set up it seems only a superuser enabled cluster can use
the reconfig command.

You can also configure the ACL associated with the "/config" znode so your
chosen users have permission to both read and write the config znode, after
they are authenticated (using your favorite authentication scheme built in
ZK, such as SASL). This way you don't have to operate under the credential
of superuser. By default, in 3.5.3 beta the "/config" znode is read only,
which effectively disables reconfig API except for superuser who does not
subject to ACL check.

On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <shralex@gmail.com> wrote:

> Hi,
>
> Please look for "sc_reconfig_access_control"
> Here:
> https://github.com/apache/zookeeper/blob/master/docs/
> zookeeperReconfig.html
>
> Thanks,
> Alex
>
> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <c.turksema@gmail.com> wrote:
>
> > I have a 3.5.3 cluster where I am trying out the reconfig command. I am
> > running with reconfigEnabled=true.
> > When I try reconfig I run into an issue with ACL.
> >
> > [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
> > Authentication is not valid :
> >
> > The config node is protected:
> > [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
> > 'world,'anyone
> > : r
> >
> >
> > The way this is set up it seems only a superuser enabled cluster can use
> > the
> > reconfig command. Is that true, or am I missing something ? The
> > documentation never mentioned it.
> >
> >
> >
> >
> > --
> > Sent from: http://zookeeper-user.578899.n2.nabble.com/
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message