permission test
Create a directory
[zk: localhost:2181(CONNECTED) 1] create /dlw "dlw"
Created /dlw
Check directory permissions
[zk: localhost:2181(CONNECTED) 3] getAcl /dlw
'world,'anyone
: cdrwa
Modify the ACL permission of the directory, which means adding the accumulo user to the /dlw directory, the MD5 hash code of the password is SkvnZlrIQ19GNd7eLDXGKg0Esgw=, and r means read-only
[zk: localhost:2181(CONNECTED) 5] setAcl /dlw digest:accumulo:SkvnZlrIQ19GNd7eLDXGKg0Esgw=:r
cZxid = 0x30000003f
ctime = Mon Feb 05 16:47:14 CHOT 2018
mZxid = 0x30000003f
mtime = Mon Feb 05 16:47:14 CHOT 2018
pZxid = 0x30000003f
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
Check directory permissions again
[zk: localhost:2181(CONNECTED) 6] getAcl /dlw
'digest,'accumulo:SkvnZlrIQ19GNd7eLDXGKg0Esgw=
: r
It is found that the directory has been inaccessible due to insufficient permissions at this time
[zk: localhost:2181(CONNECTED) 7] ls /dlw
Authentication is not valid : /dlw
Suddenly I found that although I know the MD5 value of the accumulo user password, I don't know what the password is, and then I can't access the /dlw directory.
At this time, you can use the acl super administrator of zookeeper to operate
Zookeeper's ACL super administrator
Modify the startup script of zookeeper
$ cd $ZOOKEEPER_HOME/bin
$ vi zkServer.sh
add a line
SUPER_ACL="-Dzookeeper.DigestAuthenticationProvider.superDigest=super:xQJmxLMiHGwaqBvst5y6rkB6HQs="
super:xQJmxLMiHGwaqBvst5y6rkB6HQs=表示super:admin
Modify the startup command, find nohup, and add SUPER_ACL to the startup command
nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" "${SUPER_ACL}" \
-cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &
Distribute zkServer.sh to other zookeeper nodes and restart the zookeeper service
Then log in to zkCli.sh, connect to the super administrator super, and you can operate /dlw
[zk: localhost:2181(CONNECTED) 14] addauth digest super:admin
[zk: localhost:2181(CONNECTED) 15] ls /dlw
[]
Change the Acl of the /dlw directory to the initial default
[zk: localhost:2181(CONNECTED) 23] setAcl /dlw world:anyone:crwda
cZxid = 0x30000003f
ctime = Mon Feb 05 16:47:14 CHOT 2018
mZxid = 0x30000003f
mtime = Mon Feb 05 16:47:14 CHOT 2018
pZxid = 0x30000003f
cversion = 0
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 24] getAcl /dlw
'world,'anyone
: cdrwa
Zookeeper authentication method
digest: The client is authenticated by username and password, such as user:password. The password generation method of digest is the base64 form of Sha1 digest
auth: does not use any id, represents any authenticated user.
ip: Client is verified by IP address, such as 172.2.0.0/24
world: fixed user is anyone, open permissions for all clients
super: In this case, the corresponding id has super permission and can do anything (cdrwa)
The permissions (perms) of nodes mainly include the following:
Create allows Create operations on child nodes
Read allows GetChildren and GetData operations on this node
Write allows SetData operations on this node
Delete allows Delete operations on child nodes
Admin allows setAcl operations on this node
When setting ACL permissions, they are abbreviated as cdrwa respectively.