Zookeeper 3.5.3 reconfig blocked by ACL

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Zookeeper 3.5.3 reconfig blocked by ACL

oo4load
I have a 3.5.3 cluster where I am trying out the reconfig command. I am
running with reconfigEnabled=true.
When I try reconfig I run into an issue with ACL.

[zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
Authentication is not valid :

The config node is protected:
[zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
'world,'anyone
: r


The way this is set up it seems only a superuser enabled cluster can use the
reconfig command. Is that true, or am I missing something ? The
documentation never mentioned it.




--
Sent from: http://zookeeper-user.578899.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Zookeeper 3.5.3 reconfig blocked by ACL

Alexander Shraer-2
Hi,

Please look for "sc_reconfig_access_control"
Here:
https://github.com/apache/zookeeper/blob/master/docs/zookeeperReconfig.html

Thanks,
Alex

On Tue, Oct 17, 2017 at 3:18 AM, oo4load <[hidden email]> wrote:

> I have a 3.5.3 cluster where I am trying out the reconfig command. I am
> running with reconfigEnabled=true.
> When I try reconfig I run into an issue with ACL.
>
> [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
> Authentication is not valid :
>
> The config node is protected:
> [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
> 'world,'anyone
> : r
>
>
> The way this is set up it seems only a superuser enabled cluster can use
> the
> reconfig command. Is that true, or am I missing something ? The
> documentation never mentioned it.
>
>
>
>
> --
> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>
Reply | Threaded
Open this post in threaded view
|

Re: Zookeeper 3.5.3 reconfig blocked by ACL

hanm.apache.org
>> The way this is set up it seems only a superuser enabled cluster can use
the reconfig command.

You can also configure the ACL associated with the "/config" znode so your
chosen users have permission to both read and write the config znode, after
they are authenticated (using your favorite authentication scheme built in
ZK, such as SASL). This way you don't have to operate under the credential
of superuser. By default, in 3.5.3 beta the "/config" znode is read only,
which effectively disables reconfig API except for superuser who does not
subject to ACL check.

On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <[hidden email]> wrote:

> Hi,
>
> Please look for "sc_reconfig_access_control"
> Here:
> https://github.com/apache/zookeeper/blob/master/docs/
> zookeeperReconfig.html
>
> Thanks,
> Alex
>
> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <[hidden email]> wrote:
>
> > I have a 3.5.3 cluster where I am trying out the reconfig command. I am
> > running with reconfigEnabled=true.
> > When I try reconfig I run into an issue with ACL.
> >
> > [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
> > Authentication is not valid :
> >
> > The config node is protected:
> > [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
> > 'world,'anyone
> > : r
> >
> >
> > The way this is set up it seems only a superuser enabled cluster can use
> > the
> > reconfig command. Is that true, or am I missing something ? The
> > documentation never mentioned it.
> >
> >
> >
> >
> > --
> > Sent from: http://zookeeper-user.578899.n2.nabble.com/
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Zookeeper 3.5.3 reconfig blocked by ACL

Jordan Zimmerman-3
FWIW - I've had this PR out for a while that makes this situation a lot easier by adding an override. I'd love to see this merged:

https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779 <https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779>

-Jordan

> On Oct 18, 2017, at 2:29 AM, Michael Han <[hidden email]> wrote:
>
>>> The way this is set up it seems only a superuser enabled cluster can use
> the reconfig command.
>
> You can also configure the ACL associated with the "/config" znode so your
> chosen users have permission to both read and write the config znode, after
> they are authenticated (using your favorite authentication scheme built in
> ZK, such as SASL). This way you don't have to operate under the credential
> of superuser. By default, in 3.5.3 beta the "/config" znode is read only,
> which effectively disables reconfig API except for superuser who does not
> subject to ACL check.
>
> On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <[hidden email]> wrote:
>
>> Hi,
>>
>> Please look for "sc_reconfig_access_control"
>> Here:
>> https://github.com/apache/zookeeper/blob/master/docs/
>> zookeeperReconfig.html
>>
>> Thanks,
>> Alex
>>
>> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <[hidden email]> wrote:
>>
>>> I have a 3.5.3 cluster where I am trying out the reconfig command. I am
>>> running with reconfigEnabled=true.
>>> When I try reconfig I run into an issue with ACL.
>>>
>>> [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2
>>> Authentication is not valid :
>>>
>>> The config node is protected:
>>> [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config
>>> 'world,'anyone
>>> : r
>>>
>>>
>>> The way this is set up it seems only a superuser enabled cluster can use
>>> the
>>> reconfig command. Is that true, or am I missing something ? The
>>> documentation never mentioned it.
>>>
>>>
>>>
>>>
>>> --
>>> Sent from: http://zookeeper-user.578899.n2.nabble.com/
>>>
>>