Overcoming Zookeeper ACLs

How to get super user access to Zookeeper Access Controls

In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.

Option 1: Setup a Super User

This is my favorite option for environments beyond my location machine, only requires

  1. Setting an zookeeper property for Zookeeper startup
  2. Restarting Zookeeper
  3. Using zookeeper-shell to activate super user

We’ll setup a super user using the zookeeper.DigestAuthenticationProvider.superDigest property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is super and the credentials are super123 . See appendix for generating customer credentials incase these don’t work.

After restarting zookeeper, active zookeeper-shell.

At the zookeeper-shell prompt, paste the following:

Once you have established yourself as a super user, you will have access to stomp around Zookeeper ACLs as you please

Option 2: Have Everyone Skip ACLs

If you want to feel like Oprah, you can also use the appropriately named ZooKeeper JVM property zookeeper.skipACL or just skipACLin the ZooKeeper config.


The ‘yes’ is not a typo.

Appendix: Generating your own Super Digests

If you don’t want to use super:super123 here is a little script using Confluent 4.1.0

The output:


Appreciate the Hortonworks.com Community for providing the base for this writing.

Written by

Mobile Engineering Manager and designer of high performance teams

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store