zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan H <ryan.howell.developm...@gmail.com>
Subject Re: Migrate ZK to ACL ZK
Date Sat, 19 Jan 2019 23:05:51 GMT
Thanks Enrico,

Agreed on Username/Password. Maybe to rephrase my question: if I have an
existing ZK tree that doesn't currently have any kind of Access Control,
can a Username/Password ACL be applied to that existing tree? If so, how
would one go about doing that?

-Ryan H

On Sat, Jan 19, 2019 at 2:25 PM Enrico Olivelli <eolivelli@gmail.com> wrote:

> Hi Ryan,
> I think this should be supported by NiFi, but I don't know that platform.
>
> Username/password is very weak and it is hard to maintain.
>
> Apart from this I think you can write a simple program which scans your ZK
> tree and applies ACL, no need for a new cluster.
>
> Just my 2 cents
>
> Enrico
>
> Il sab 19 gen 2019, 16:35 Ryan H <ryan.howell.development@gmail.com> ha
> scritto:
>
> > Hi All,
> >
> > I am currently using an external 3 machine Zookeeper (3.4.10) to manage
> > multiple NiFi Clusters (NiFi 1.5). I would like to put in ACL for each of
> > the existing NiFi clusters with username/password that is unique to each
> of
> > the NiFi clusters as it is currently wide open. The docs say that
> Kerberos
> > is the recommended method for securing ZK, but for now going to go with
> > User/Password.
> >
> > I'm looking for the best way to do this. My initial thought was to spin
> up
> > a new ZK cluster, then use the migration tool to migrate each of the root
> > nodes to the new cluster, adding the username/password as each root is
> > migrated. Is there a better way to do this? I'm wondering if a new ZK
> > cluster is needed or not and whether the same thing can just be done on
> the
> > existing ZK cluster. Can the Username/Password ACL info just be applied
> to
> > the existing roots (just add the ACL info to the NiFi configuration) and
> > then that's it?
> >
> > Any direction or suggestions is appreciated!!
> >
> >
> > Cheers,
> >
> > Ryan H
> >
> --
>
>
> -- Enrico Olivelli
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message