zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli <eolive...@gmail.com>
Subject Re: Migrate ZK to ACL ZK
Date Sun, 20 Jan 2019 20:42:32 GMT
Il dom 20 gen 2019, 00:06 Ryan H <ryan.howell.development@gmail.com> ha
scritto:

> Thanks Enrico,
>
> Agreed on Username/Password. Maybe to rephrase my question: if I have an
> existing ZK tree that doesn't currently have any kind of Access Control,
> can a Username/Password ACL be applied to that existing tree? If so, how
> would one go about doing that?
>

I would do this way (not tested):
- reboot all clients with authentication enabled and check in the logs that
all is okay
- configure Nifi to apply ACL on new znodes
- bulk change the ACL of every znode with the ACL you want

It depends on NiFi bacause you should have at least two features:
- enable auth on zk client
- every time Nifi creates a znode to ZK it sets correct ACLs


Enrico



> -Ryan H
>
> On Sat, Jan 19, 2019 at 2:25 PM Enrico Olivelli <eolivelli@gmail.com>
> wrote:
>
> > Hi Ryan,
> > I think this should be supported by NiFi, but I don't know that platform.
> >
> > Username/password is very weak and it is hard to maintain.
> >
> > Apart from this I think you can write a simple program which scans your
> ZK
> > tree and applies ACL, no need for a new cluster.
> >
> > Just my 2 cents
> >
> > Enrico
> >
> > Il sab 19 gen 2019, 16:35 Ryan H <ryan.howell.development@gmail.com> ha
> > scritto:
> >
> > > Hi All,
> > >
> > > I am currently using an external 3 machine Zookeeper (3.4.10) to manage
> > > multiple NiFi Clusters (NiFi 1.5). I would like to put in ACL for each
> of
> > > the existing NiFi clusters with username/password that is unique to
> each
> > of
> > > the NiFi clusters as it is currently wide open. The docs say that
> > Kerberos
> > > is the recommended method for securing ZK, but for now going to go with
> > > User/Password.
> > >
> > > I'm looking for the best way to do this. My initial thought was to spin
> > up
> > > a new ZK cluster, then use the migration tool to migrate each of the
> root
> > > nodes to the new cluster, adding the username/password as each root is
> > > migrated. Is there a better way to do this? I'm wondering if a new ZK
> > > cluster is needed or not and whether the same thing can just be done on
> > the
> > > existing ZK cluster. Can the Username/Password ACL info just be applied
> > to
> > > the existing roots (just add the ACL info to the NiFi configuration)
> and
> > > then that's it?
> > >
> > > Any direction or suggestions is appreciated!!
> > >
> > >
> > > Cheers,
> > >
> > > Ryan H
> > >
> > --
> >
> >
> > -- Enrico Olivelli
> >
>
-- 


-- Enrico Olivelli

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message