Overcoming Zookeeper ACLs
How to get super user access to Zookeeper Access Controls
In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.
Option 1: Setup a Super User
This is my favorite option for environments beyond my location machine, only requires
- Setting an zookeeper property for Zookeeper startup
- Restarting Zookeeper
- Using zookeeper-shell to activate super user
We’ll setup a super user using the
zookeeper.DigestAuthenticationProvider.superDigest property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is
super and the credentials are
super123 . See appendix for generating customer credentials incase these don’t work.
After restarting zookeeper, active zookeeper-shell.
~ ./zookeeper-shell localhost:2181
[zk: localhost:2181(CONNECTED) ]
At the zookeeper-shell prompt, paste the following:
addauth digest super:super123
Once you have established yourself as a super user, you will have access to stomp around Zookeeper ACLs as you please
setAcl /MyzNode world:anyone:cdrwa
Option 2: Have Everyone Skip ACLs
If you want to feel like Oprah, you can also use the appropriately named ZooKeeper JVM property
zookeeper.skipACL or just
skipACLin the ZooKeeper config.
The ‘yes’ is not a typo.
Appendix: Generating your own Super Digests
If you don’t want to use
super:super123 here is a little script using Confluent 4.1.0
CONFLUENT_JARS=$CONFLUENT_BASE/share/java/kafka/*ZK_CLASSPATH=$CONFLUENT_CONF:$CONFLUENT_JARSjava -cp $ZK_CLASSPATH \ org.apache.zookeeper.server.auth.DigestAuthenticationProvider \ super:superdifficultpasswordthaticanstillremember
Appreciate the Hortonworks.com Community for providing the base for this writing.