Overcoming Zookeeper ACLs

How to get super user access to Zookeeper Access Controls

In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.

Option 1: Setup a Super User

This is my favorite option for environments beyond my location machine, only requires

  1. Setting an zookeeper property for Zookeeper startup
  2. Restarting Zookeeper
  3. Using zookeeper-shell to activate super user

We’ll setup a super user using the zookeeper.DigestAuthenticationProvider.superDigest property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is super and the credentials are super123 . See appendix for generating customer credentials incase these don’t work.

KAKFA_OPTS=-Dzookeeper.DigestAuthenticationProvider.superDigest=super:UdxDQl4f9v5oITwcAsO9bmWgHSI=

After restarting zookeeper, active zookeeper-shell.

~ ./zookeeper-shell localhost:2181
[zk: localhost:2181(CONNECTED) ]

At the zookeeper-shell prompt, paste the following:

addauth digest super:super123

Once you have established yourself as a super user, you will have access to stomp around Zookeeper ACLs as you please

setAcl /MyzNode world:anyone:cdrwa

Option 2: Have Everyone Skip ACLs

If you want to feel like Oprah, you can also use the appropriately named ZooKeeper JVM property zookeeper.skipACL or just skipACLin the ZooKeeper config.

SERVER_JVMFLAGS=-Dzookeeper.skipACL=yes

The ‘yes’ is not a typo.

Appendix: Generating your own Super Digests

If you don’t want to use super:super123 here is a little script using Confluent 4.1.0

#!/bin/sh
CONFLUENT_BASE=<fillmein>
CONFLUENT_CONF=$CONFLUENT_BASE/etc/kafka
CONFLUENT_JARS=$CONFLUENT_BASE/share/java/kafka/*
ZK_CLASSPATH=$CONFLUENT_CONF:$CONFLUENT_JARS
java -cp $ZK_CLASSPATH \ org.apache.zookeeper.server.auth.DigestAuthenticationProvider \ super:superdifficultpasswordthaticanstillremember

The output:

super:superdifficultpasswordthaticanstillremember->super:cXpH5g4x6LYblR279hUfyKKfbn0=

Thanks

Appreciate the Hortonworks.com Community for providing the base for this writing.