zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@cloudera.com.INVALID>
Subject Re: Change zookeeper digest password
Date Mon, 03 Sep 2018 14:51:37 GMT
Hi Anthony,

First of all, ACLs relate to the data nodes and are part of the data tree,
so they're replicated across the cluster, so you don't have to set them on
each of every ZK server.

Second, there's no "user database" with digest auth method, so
authentication info is attached to the node if you set an ACL with "digest"
scheme. The node can be accessed if the user authenticates itself with the
same auth info which was set when node was created.

Node ACL is a list, so you basically can do two things: extending the list
with new auth info or overwriting it. Obviously, the latter means, that the
"old" user won't be able to access the node anymore. That's kind of
"updating the password".

Remember, that ACL checking is not recursive as described in the docs:
"Note also that an ACL pertains only to a specific znode. In particular it
does not apply to children. For example, if */app* is only readable by
ip:172.16.16.1 and */app/status* is world readable, anyone will be able to
read */app/status*; ACLs are not recursive."

https://zookeeper.apache.org/doc/current/zookeeperProgrammers.html#sc_ZooKeeperAccessControl

Hope that helps.

Regards,
Andor




On Wed, Aug 22, 2018 at 9:11 PM, Anthony Shaya <ashaya@workforcesoftware.com
> wrote:

> Hello,
>
> Is there any easy way to change a digest password for a user in zookeeper?
>
>
>   *   If so, will it replicate across a cluster of zookeeper nodes?
>
> If there is no way, am I correct in saying that I will need to reset the
> acl's for every node tied to the user with the new digest password?
>
>
>   *   If I set an acl for a node with same username but different digest
> password, does that overwrite the existing acl for that username?
>   *   If I set an acl for a node while connected to the cluster, do the
> acl's replicate across the cluster? (I assume I will need to do this in
> every zk node in the cluster and there is no replication)
>
> Thanks
>
>
>
> This message is intended exclusively for the individual or entity to which
> it is addressed. This communication may contain information that is
> proprietary, privileged, confidential or otherwise legally exempt from
> disclosure. If you are not the named addressee, or have been inadvertently
> and erroneously referenced in the address line, you are not authorized to
> read, print, retain, copy or disseminate this message or any part of it. If
> you have received this message in error, please notify the sender
> immediately by e-mail and delete all copies of the message. (ID m031214)
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message