Overcoming Zookeeper ACLs
How to get super user access to Zookeeper Access Controls
In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.
Option 1: Setup a Super User
This is my favorite option for environments beyond my location machine, only requires
- Setting an zookeeper property for Zookeeper startup
- Restarting Zookeeper
- Using zookeeper-shell to activate super user
We’ll setup a super user using the zookeeper.DigestAuthenticationProvider.superDigest
property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is super
and the credentials are super123
. See appendix for generating customer credentials incase these don’t work.
KAKFA_OPTS=-Dzookeeper.DigestAuthenticationProvider.superDigest=super:UdxDQl4f9v5oITwcAsO9bmWgHSI=
After restarting zookeeper, active zookeeper-shell.
~ ./zookeeper-shell localhost:2181
[zk: localhost:2181(CONNECTED) ]
At the zookeeper-shell prompt, paste the following:
addauth digest super:super123
Once you have established yourself as a super user, you will have access to stomp around Zookeeper ACLs as you please
setAcl /MyzNode world:anyone:cdrwa
Option 2: Have Everyone Skip ACLs
If you want to feel like Oprah, you can also use the appropriately named ZooKeeper JVM property zookeeper.skipACL
or just skipACL
in the ZooKeeper config.
SERVER_JVMFLAGS=-Dzookeeper.skipACL=yes
The ‘yes’ is not a typo.
Appendix: Generating your own Super Digests
If you don’t want to use super:super123
here is a little script using Confluent 4.1.0
#!/bin/shCONFLUENT_BASE=<fillmein>
CONFLUENT_CONF=$CONFLUENT_BASE/etc/kafka
CONFLUENT_JARS=$CONFLUENT_BASE/share/java/kafka/*ZK_CLASSPATH=$CONFLUENT_CONF:$CONFLUENT_JARSjava -cp $ZK_CLASSPATH \ org.apache.zookeeper.server.auth.DigestAuthenticationProvider \ super:superdifficultpasswordthaticanstillremember
The output:
super:superdifficultpasswordthaticanstillremember->super:cXpH5g4x6LYblR279hUfyKKfbn0=
Thanks
Appreciate the Hortonworks.com Community for providing the base for this writing.