From user-return-11645-apmail-zookeeper-user-archive=zookeeper.apache.org@zookeeper.apache.org Mon Sep 3 14:51:42 2018 Return-Path: X-Original-To: apmail-zookeeper-user-archive@www.apache.org Delivered-To: apmail-zookeeper-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 715B91B5CB for ; Mon, 3 Sep 2018 14:51:42 +0000 (UTC) Received: (qmail 39102 invoked by uid 500); 3 Sep 2018 14:51:41 -0000 Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org Received: (qmail 39040 invoked by uid 500); 3 Sep 2018 14:51:41 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 39028 invoked by uid 99); 3 Sep 2018 14:51:40 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Sep 2018 14:51:40 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 514CDC255D for ; Mon, 3 Sep 2018 14:51:40 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.901 X-Spam-Level: * X-Spam-Status: No, score=1.901 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudera.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id eOETQuM9Azrv for ; Mon, 3 Sep 2018 14:51:39 +0000 (UTC) Received: from mail-oi0-f65.google.com (mail-oi0-f65.google.com [209.85.218.65]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id DBDAD5F1B3 for ; Mon, 3 Sep 2018 14:51:38 +0000 (UTC) Received: by mail-oi0-f65.google.com with SMTP id r69-v6so1411274oie.3 for ; Mon, 03 Sep 2018 07:51:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=AlikxfDgPii0BggjAsPlTsSWca1sNDYRQv3xEszeiRk=; b=WGSbJNNFEJQoUcZ93oTUotTLXcYuOgPKEShzxTRtg53BJ00bZhy6GtzSYZ3rHg5R3i ieI1XJYUlYWJge5whh4DvxmTGYQDOyx5JKM6cIxHkoefU/mkqv+20RqMPkstVjmaQXXm kTycaZ5Rj4xH3l8L95jkmBgucK2bfGwzOfewXxb1VsqcZa223OjMkFGcHIAWstFqxpbm CMD2Ofz8t+jEokk9xw8V5oYeGQuMMoJ0+89MNUntBc8gKZ/zAmOKjyu3vUo2e32LkGim n1bx6QBiHtmda8JexmDZQ0nlQPlszrhwVrDP852I8gKBbcgIGKE6Fn3JYDsQE+LVUYsz CiGw== X-Gm-Message-State: APzg51D3vbjI0OnC3l8H8HVOUBMKpSqol5otVCWqnYCHPuXmXiZgZNVJ xWdFOidgmp0ycQCjz5SA7SCAVqX+tgoZDmbjwQnzO73oSxI= X-Google-Smtp-Source: ANB0VdaEbesRJ7Van5/ENdxA8QUTyy3T2tV3N9WWwJ7aR7LtAooB0tmS8dXF4v0jmv3qjcKfgdoAuH73PDSQFHU6YuY= X-Received: by 2002:aca:dbc2:: with SMTP id s185-v6mr20827691oig.251.1535986297780; Mon, 03 Sep 2018 07:51:37 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:1719:0:0:0:0:0 with HTTP; Mon, 3 Sep 2018 07:51:37 -0700 (PDT) In-Reply-To: References: From: Andor Molnar Date: Mon, 3 Sep 2018 16:51:37 +0200 Message-ID: Subject: Re: Change zookeeper digest password To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary="000000000000a8e6e70574f8adce" --000000000000a8e6e70574f8adce Content-Type: text/plain; charset="UTF-8" Hi Anthony, First of all, ACLs relate to the data nodes and are part of the data tree, so they're replicated across the cluster, so you don't have to set them on each of every ZK server. Second, there's no "user database" with digest auth method, so authentication info is attached to the node if you set an ACL with "digest" scheme. The node can be accessed if the user authenticates itself with the same auth info which was set when node was created. Node ACL is a list, so you basically can do two things: extending the list with new auth info or overwriting it. Obviously, the latter means, that the "old" user won't be able to access the node anymore. That's kind of "updating the password". Remember, that ACL checking is not recursive as described in the docs: "Note also that an ACL pertains only to a specific znode. In particular it does not apply to children. For example, if */app* is only readable by ip:172.16.16.1 and */app/status* is world readable, anyone will be able to read */app/status*; ACLs are not recursive." https://zookeeper.apache.org/doc/current/zookeeperProgrammers.html#sc_ZooKeeperAccessControl Hope that helps. Regards, Andor On Wed, Aug 22, 2018 at 9:11 PM, Anthony Shaya wrote: > Hello, > > Is there any easy way to change a digest password for a user in zookeeper? > > > * If so, will it replicate across a cluster of zookeeper nodes? > > If there is no way, am I correct in saying that I will need to reset the > acl's for every node tied to the user with the new digest password? > > > * If I set an acl for a node with same username but different digest > password, does that overwrite the existing acl for that username? > * If I set an acl for a node while connected to the cluster, do the > acl's replicate across the cluster? (I assume I will need to do this in > every zk node in the cluster and there is no replication) > > Thanks > > > > This message is intended exclusively for the individual or entity to which > it is addressed. This communication may contain information that is > proprietary, privileged, confidential or otherwise legally exempt from > disclosure. If you are not the named addressee, or have been inadvertently > and erroneously referenced in the address line, you are not authorized to > read, print, retain, copy or disseminate this message or any part of it. If > you have received this message in error, please notify the sender > immediately by e-mail and delete all copies of the message. (ID m031214) > --000000000000a8e6e70574f8adce--