10/20/14

ZooKeeper ACLs

Checked with ZooKeeper 3.4.6.

Useful zkCli snippets:

  1. anonymous access to a node:
  2. setAcl /test/test01 world:anyone:crdwa
        
  3. username/password access to a node (test/test)
  4. setAcl /test/test01 digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
        
  5. username/password access to a node, read for everyone
  6. setAcl /test/test01 world:anyone:r,digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
        
  7. username/password access to a node, read for another username/password
  8. setAcl /test/test01 digest:testa:yDww3vDTFt2Vn+04UEvCSRsOLbU=:r,digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
        

How to get the password hash

The password can be generated with one of ZooKeeper classes. The following zkPasswd.sh will help:
#!/usr/bin/env bash

ZOOBIN="${BASH_SOURCE-$0}"
ZOOBIN="$(dirname "${ZOOBIN}")"
ZOOBINDIR="$(cd "${ZOOBIN}"; pwd)"

if [ -e "$ZOOBIN/../libexec/zkEnv.sh" ]; then
  . "$ZOOBINDIR"/../libexec/zkEnv.sh
else
  . "$ZOOBINDIR"/zkEnv.sh
fi

"$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
    "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
     -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
     org.apache.zookeeper.server.auth.DigestAuthenticationProvider "$@"
Usage:
> ./zkPasswd.sh test:test
test:test->test:V28q/NynI4JI3Rk54h0r8O5kMug=
Password hashes are generated for username:password pair - if you change the username and keep the password, you need to regenerate the hash. Hash for test:test will be different than for test1:test.