Yes Chris!.
Some how I managed to solve the problem of enabling ACL in all nodes after
I set the auth scheme recursively from root.
I was in thought that insufficient permission in second session of cli
meant that it loses all auth users we set early in first session before
restart.
Hence I used skipACL flag and set all user for all nodes this time no more
insufficient permission error in any sessions.
The vulnerability was also solved.
Thanks and Regards,
Rinilnath
Mobile#9786285451
On Tue, 11 Jan, 2022, 00:58 Chris Nauroth, wrote:
> Hello Rinilnath,
>
> I think the reason for "insufficient permission" (on ZooKeeper 3.6.3) is
> not that the ACL isn't persistent across restarts. Instead, I think it's
> because in your second session (second invocation of zkCli), you are not
> authenticating before calling getAcl. Since you are no longer authenticated
> as the "zookeeper" user, the server is correctly enforcing the ACL that was
> created during the first session.
>
> If you repeat the addauth at the start of your second session/second zkCli,
> then I expect it will work, and you'll be able to see the ACL that was
> created in the first session.
>
> Example:
>
> [zk: localhost:2181(CONNECTED) 0] getAcl /zookeeper
> Insufficient permission : /zookeeper
> [zk: localhost:2181(CONNECTED) 1] addauth digest zookeeper:password
> [zk: localhost:2181(CONNECTED) 2] getAcl /zookeeper
> 'digest,'zookeeper:aoWyXhEACEkPu6F+p7w0LmvXvPU=
> : cdrwa
>
> Note that there was no need to repeat the setAcl command, even if the
> server was restarted in between.
>
> I hope this helps.
>
> Chris Nauroth
>
>
> On Thu, Jan 6, 2022 at 11:09 AM Enrico Olivelli
> wrote:
>
> > Il Gio 6 Gen 2022, 19:33 rinilnath r ha scritto:
> >
> > > Hi,
> > >
> > > Thanks for your reply! Really great to see a hand for help
> > >
> > > Default means my default node , zookeeper is its name.
> > >
> > > Basically, I did these
> > >
> > > 1. addauth digest zookeeper: adminpass
> > > 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa
> > >
> > > Now getAcl /zookeeper, shows correctly the users added.
> > >
> > > Problem is when I restart zkserver, again I connect zkcli and all are
> > gone.
> > >
> > > getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient
> > permission
> > > in 3.6.3
> > >
> > > No clue how to make a persistent set of ACL.
> > > My security compliance is blocked because of this.
> > >
> >
> > Most of the times it is the Java application that sets the acls while
> > creating the znode.
> > I can't check your commands now (because I am out)
> >
> > I hope that someone can give more feedback, otherwise I will try to help
> > next week
> >
> >
> > Enrico
> >
> >
> >
> > >
> > >
> > > Thanks and Regards,
> > > Rinilnath
> > > Mobile#9786285451
> > >
> > > On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli,
> wrote:
> > >
> > > > Il Gio 6 Gen 2022, 14:45 rinilnath r ha
> scritto:
> > > >
> > > > > Is this group still valid?
> > > > >
> > > >
> > > > Yes
> > > > This list is still valid.
> > > >
> > > > Probably there are many people still on vacation (like me :) )
> > > >
> > > > Can you please share more information?
> > > >
> > > > What is it a 'available zookeeper default node'?
> > > >
> > > > How are you setting acls?
> > > >
> > > >
> > > >
> > > > Enrico
> > > >
> > > >
> > > > I am getting ipage reply for my mail
> > > > >
> > > > > Thanks and Regards,
> > > > > Rinilnath
> > > > > Mobile#9786285451
> > > > >
> > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r,
> wrote:
> > > > >
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I need to enable ACL in all nodes, as per security compliance.
> > > > > >
> > > > > > These are the things I tried
> > > > > >
> > > > > > 1. addauth digest with specific user
> > > > > > 2. SetAcl on available default zookeeper node
> > > > > >
> > > > > > But after service restart. The getAcl is saying insufficient
> > > permission
> > > > > >
> > > > > > Zookeeper: 3.6.3
> > > > > >
> > > > > > Please help me to do this properly.
> > > > > >
> > > > > > Thanks and Regards,
> > > > > > Rinilnath
> > > > > > Mobile#9786285451
> > > > > >
> > > > >
> > > >
> > >
> >
>
