ZooKeeper ACLs

Checked with ZooKeeper 3.4.6.

Useful zkCli snippets:

  1. anonymous access to a node:
  2. setAcl /test/test01 world:anyone:crdwa
  3. username/password access to a node (test/test)
  4. setAcl /test/test01 digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
  5. username/password access to a node, read for everyone
  6. setAcl /test/test01 world:anyone:r,digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda
  7. username/password access to a node, read for another username/password
  8. setAcl /test/test01 digest:testa:yDww3vDTFt2Vn+04UEvCSRsOLbU=:r,digest:test:V28q/NynI4JI3Rk54h0r8O5kMug=:crwda

How to get the password hash

The password can be generated with one of ZooKeeper classes. The following zkPasswd.sh will help:
#!/usr/bin/env bash

ZOOBIN="$(dirname "${ZOOBIN}")"
ZOOBINDIR="$(cd "${ZOOBIN}"; pwd)"

if [ -e "$ZOOBIN/../libexec/zkEnv.sh" ]; then
  . "$ZOOBINDIR"/../libexec/zkEnv.sh
  . "$ZOOBINDIR"/zkEnv.sh

"$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
    "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
     org.apache.zookeeper.server.auth.DigestAuthenticationProvider "$@"
> ./zkPasswd.sh test:test
Password hashes are generated for username:password pair - if you change the username and keep the password, you need to regenerate the hash. Hash for test:test will be different than for test1:test.

No comments:

Post a Comment