Overcoming Zookeeper ACLs

How to get super user access to Zookeeper Access Controls

In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.

Option 1: Setup a Super User

This is my favorite option for environments beyond my location machine, only requires

  1. Setting an zookeeper property for Zookeeper startup
  2. Restarting Zookeeper
  3. Using zookeeper-shell to activate super user

We’ll setup a super user using the zookeeper.DigestAuthenticationProvider.superDigest property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is super and the credentials are super123 . See appendix for generating customer credentials incase these don’t work.

After restarting zookeeper, active zookeeper-shell.

At the zookeeper-shell prompt, paste the following:

Once you have established yourself as a super user, you will have access to stomp around Zookeeper ACLs as you please

Option 2: Have Everyone Skip ACLs

If you want to feel like Oprah, you can also use the appropriately named ZooKeeper JVM property zookeeper.skipACL or just skipACLin the ZooKeeper config.

SERVER_JVMFLAGS=-Dzookeeper.skipACL=yes

The ‘yes’ is not a typo.

Appendix: Generating your own Super Digests

If you don’t want to use super:super123 here is a little script using Confluent 4.1.0

The output:

Thanks

Appreciate the Hortonworks.com Community for providing the base for this writing.

Written by

Mobile Engineering Manager and designer of high performance teams

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store