Overcoming Zookeeper ACLs

How to get super user access to Zookeeper Access Controls

In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.

Option 1: Setup a Super User

This is my favorite option for environments beyond my location machine, only requires

  1. Setting an zookeeper property for Zookeeper startup
  2. Restarting Zookeeper
  3. Using zookeeper-shell to activate super user

We’ll setup a super user using the zookeeper.DigestAuthenticationProvider.superDigest property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is super and the credentials are super123 . See appendix for generating customer credentials incase these don’t work.


After restarting zookeeper, active zookeeper-shell.

~ ./zookeeper-shell localhost:2181
[zk: localhost:2181(CONNECTED) ]

At the zookeeper-shell prompt, paste the following:

addauth digest super:super123

Once you have established yourself as a super user, you will have access to stomp around Zookeeper ACLs as you please

setAcl /MyzNode world:anyone:cdrwa

Option 2: Have Everyone Skip ACLs

If you want to feel like Oprah, you can also use the appropriately named ZooKeeper JVM property zookeeper.skipACL or just skipACLin the ZooKeeper config.


The ‘yes’ is not a typo.

Appendix: Generating your own Super Digests

If you don’t want to use super:super123 here is a little script using Confluent 4.1.0

java -cp $ZK_CLASSPATH \ org.apache.zookeeper.server.auth.DigestAuthenticationProvider \ super:superdifficultpasswordthaticanstillremember

The output:



Appreciate the Hortonworks.com Community for providing the base for this writing.