10/20/14

ZooKeeper ACLs

Checked with ZooKeeper 3.4.6.

Useful zkCli snippets:

  1. anonymous access to a node:
    2. setAcl /test/test01 world:anyone:crdwa
  2. username/password access to a node (test/test)
    3. setAcl /test/test01 digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
  3. username/password access to a node, read for everyone
    4. setAcl /test/test01 world:anyone:r,digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
  4. username/password access to a node, read for another username/password
    5. setAcl /test/test01 digest:testa:yDww3vDTFt2Vn+04UEvCSRsOLbU=:r,digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda

How to get the password hash

The password can be generated with one of ZooKeeper classes. The following zkPasswd.sh will help: 
#!/usr/bin/env bash

ZOOBIN="${BASH_SOURCE-$0}"
ZOOBIN="$(dirname "${ZOOBIN}")"
ZOOBINDIR="$(cd "${ZOOBIN}"; pwd)"

if [ -e "$ZOOBIN/../libexec/zkEnv.sh" ]; then
  . "$ZOOBINDIR"/../libexec/zkEnv.sh
else
  . "$ZOOBINDIR"/zkEnv.sh
fi

"$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
    "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
     -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
     org.apache.zookeeper.server.auth.DigestAuthenticationProvider "$@"
Usage: 
> ./zkPasswd.sh test:test
test:test->test:V28q/NynI4JI3Rk54h0r8O5kMug=
Password hashes are generated for username:password pair - if you change the username and keep the password, you need to regenerate the hash. Hash for test:test will be different than for test1:test.
Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)