Getting Authentication Not valid while running reconfig Command

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting Authentication Not valid while running reconfig Command

harish lohar
I am connecting from ./zkCli.sh and trying to add an server to zookeeper
ensemble

I see i am authenticated on prompt



2018-03-01 11:21:41,716 [myid:localhost:2181] - INFO
[main-SendThread(localhost:2181):ZooKeeperSaslClient@274] - Client will use
DIGEST-MD5 as SASL mechanism.
2018-03-01 11:21:41,770 [myid:localhost:2181] - INFO
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1113] - Opening
socket connection to server localhost/127.0.0.1:2181. Will attempt to
SASL-authenticate using Login Context section 'Client'
WatchedEvent state:SaslAuthenticated type:None path:null

Even Set ACL doesnt work

[zk: localhost:2181(CONNECTED) 1] setAcl /zookeeper/config
world:anyone:cdrwa
Authentication is not valid : /zookeeper/config

same issue happens with "reconfig" command as well.

I am using zookeeper-3.5.3-beta release

Appreciate your quick response.

Thanks
harish
Reply | Threaded
Open this post in threaded view
|

Re: Getting Authentication Not valid while running reconfig Command

bmugs
Hi,

We were also facing the same issue, this is how we resolved it:

Before starting the ZK server, add the following to zkServer.sh -
"-Dzookeeper.skipACL=yes"

This will skip the ACL authentication and you will be able to use reconfig
command.
Albeit this comes with a risk as you removes all authentication.

Hope this helps!




--
Sent from: http://zookeeper-user.578899.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Getting Authentication Not valid while running reconfig Command

hanm.apache.org
Please check out the reconfig release document for 3.5.3 beta, in
particular section "Access Control":
https://zookeeper.apache.org/doc/r3.5.3-beta/zookeeperReconfig.html

*"The dynamic configuration is stored in a special znode
ZooDefs.CONFIG_NODE = /zookeeper/config. This node by default is read only
for all users, except super user and users that's explicitly configured for
write access.*

*Clients that need to use reconfig commands or reconfig API should be
configured as users that have write access to CONFIG_NODE. By default, only
the super user has full control including write access to CONFIG_NODE.
Additional users can be granted write access through superuser by setting
an ACL that has write permission associated with specified user.*
*A few examples of how to setup ACLs and use reconfiguration API with
authentication can be found in ReconfigExceptionTest.java and
TestReconfigServer.cc."*

This is the recommended approach. The "skipACL" approach is not recommended
to use from a security perspective unless you don't care about access
control and also running ensembles in a trusted environment.

On Wed, Oct 31, 2018 at 12:00 PM bmugs <[hidden email]> wrote:

> Hi,
>
> We were also facing the same issue, this is how we resolved it:
>
> Before starting the ZK server, add the following to zkServer.sh -
> "-Dzookeeper.skipACL=yes"
>
> This will skip the ACL authentication and you will be able to use reconfig
> command.
> Albeit this comes with a risk as you removes all authentication.
>
> Hope this helps!
>
>
>
>
> --
> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>