zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stevo Slavić <ssla...@gmail.com>
Subject Re: Multiple credentials associated with same principal?
Date Thu, 02 Feb 2017 18:02:19 GMT
Hello Patrick,

Thanks for reply! That feature would be appreciated, but it's not what I
had in mind, it would not be sufficient.

I need a way to change credentials without ZK client or cluster downtime,
ideally with no ACL changes. Option of configuring two valid passwords for
same user would help - then I could along with old password configure new
one, roll ZK cluster with new settings, and then gradually roll out new
credentials to all different clients, later remove old expired password.

In one ZK client app, both zkclient and curator client libraries are being
used to access two different ZK subtrees. I managed to configure each
client to set ACLs appropriate for each subtree, but I couldn't find way
yet to configure each client with different user, with sasl scheme. So had
to fallback to single user. Still ACLs are different in the two subtrees.
One subtree allows world to read, and creator all permissions. Other
subtree just allows creator all permissions. It would help with credentials
expiration if I could instead of (creator, all permissions) ACLs, set (any
authenticated user, all permissions) ACL, while still keeping ACL for first
subtree that world can read it. If it was possible, I'd expire not only
password but replace it with new user, and no changes to ACLs would be

Thinking again, even if it was possible to set such ACL (any authenticated
user, all permissions) in ZK nodes, it wouldn't help me now, since I cannot
configure it to all clients managing nodes in subtree, some have ACLs that
they set hardcoded, would have to fork large OSS project which is not
really an option, and making ACL configurable in that OSS project would
take some time.

Kind regards,
Stevo Slavic.

On Thu, Feb 2, 2017 at 4:39 PM, Patrick Hunt <phunt@apache.org> wrote:

Hi Stevo, you might be talking about one of the following variants? (see
the jiras linked to from this jira)


On Thu, Feb 2, 2017 at 4:38 AM, Stevo Slavić <sslavic@gmail.com> wrote:

> Alternatively, is it possible to set ACL that would grant given
> to any successfully authenticated user?
> On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <sslavic@gmail.com> wrote:
> > Hello Apache ZooKeeper community,
> >
> > Is it valid in JAAS config file to associate more than one password per
> > user, and if so, will ZooKeeper server authenticate user correctly if
> > provided password matches any of the configured ones?
> >
> > Kind regards,
> > Stevo Slavic.
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message