Re: Zookeeper on windows standalone
Yes Chris!. Some how I managed to solve the problem of enabling ACL in all nodes after I set the auth scheme recursively from root. I was in thought that insufficient permission in second session of cli meant that it loses all auth users we set early in first session before restart. Hence I used skipACL flag and set all user for all nodes this time no more insufficient permission error in any sessions. The vulnerability was also solved. Thanks and Regards, Rinilnath Mobile#9786285451 On Tue, 11 Jan, 2022, 00:58 Chris Nauroth, wrote: > Hello Rinilnath, > > I think the reason for "insufficient permission" (on ZooKeeper 3.6.3) is > not that the ACL isn't persistent across restarts. Instead, I think it's > because in your second session (second invocation of zkCli), you are not > authenticating before calling getAcl. Since you are no longer authenticated > as the "zookeeper" user, the server is correctly enforcing the ACL that was > created during the first session. > > If you repeat the addauth at the start of your second session/second zkCli, > then I expect it will work, and you'll be able to see the ACL that was > created in the first session. > > Example: > > [zk: localhost:2181(CONNECTED) 0] getAcl /zookeeper > Insufficient permission : /zookeeper > [zk: localhost:2181(CONNECTED) 1] addauth digest zookeeper:password > [zk: localhost:2181(CONNECTED) 2] getAcl /zookeeper > 'digest,'zookeeper:aoWyXhEACEkPu6F+p7w0LmvXvPU= > : cdrwa > > Note that there was no need to repeat the setAcl command, even if the > server was restarted in between. > > I hope this helps. > > Chris Nauroth > > > On Thu, Jan 6, 2022 at 11:09 AM Enrico Olivelli > wrote: > > > Il Gio 6 Gen 2022, 19:33 rinilnath r ha scritto: > > > > > Hi, > > > > > > Thanks for your reply! Really great to see a hand for help > > > > > > Default means my default node , zookeeper is its name. > > > > > > Basically, I did these > > > > > > 1. addauth digest zookeeper: adminpass > > > 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa > > > > > > Now getAcl /zookeeper, shows correctly the users added. > > > > > > Problem is when I restart zkserver, again I connect zkcli and all are > > gone. > > > > > > getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient > > permission > > > in 3.6.3 > > > > > > No clue how to make a persistent set of ACL. > > > My security compliance is blocked because of this. > > > > > > > Most of the times it is the Java application that sets the acls while > > creating the znode. > > I can't check your commands now (because I am out) > > > > I hope that someone can give more feedback, otherwise I will try to help > > next week > > > > > > Enrico > > > > > > > > > > > > > > > Thanks and Regards, > > > Rinilnath > > > Mobile#9786285451 > > > > > > On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli, > wrote: > > > > > > > Il Gio 6 Gen 2022, 14:45 rinilnath r ha > scritto: > > > > > > > > > Is this group still valid? > > > > > > > > > > > > > Yes > > > > This list is still valid. > > > > > > > > Probably there are many people still on vacation (like me :) ) > > > > > > > > Can you please share more information? > > > > > > > > What is it a 'available zookeeper default node'? > > > > > > > > How are you setting acls? > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > I am getting ipage reply for my mail > > > > > > > > > > Thanks and Regards, > > > > > Rinilnath > > > > > Mobile#9786285451 > > > > > > > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, > wrote: > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > I need to enable ACL in all nodes, as per security compliance. > > > > > > > > > > > > These are the things I tried > > > > > > > > > > > > 1. addauth digest with specific user > > > > > > 2. SetAcl on available default zookeeper node > > > > > > > > > > > > But after service restart. The getAcl is saying insufficient > > > permission > > > > > > > > > > > > Zookeeper: 3.6.3 > > > > > > > > > > > > Please help me to do this properly. > > > > > > > > > > > > Thanks and Regards, > > > > > > Rinilnath > > > > > > Mobile#9786285451 > > > > > > > > > > > > > > > > > > > > >
Re: Zookeeper on windows standalone
Hello Rinilnath, I think the reason for "insufficient permission" (on ZooKeeper 3.6.3) is not that the ACL isn't persistent across restarts. Instead, I think it's because in your second session (second invocation of zkCli), you are not authenticating before calling getAcl. Since you are no longer authenticated as the "zookeeper" user, the server is correctly enforcing the ACL that was created during the first session. If you repeat the addauth at the start of your second session/second zkCli, then I expect it will work, and you'll be able to see the ACL that was created in the first session. Example: [zk: localhost:2181(CONNECTED) 0] getAcl /zookeeper Insufficient permission : /zookeeper [zk: localhost:2181(CONNECTED) 1] addauth digest zookeeper:password [zk: localhost:2181(CONNECTED) 2] getAcl /zookeeper 'digest,'zookeeper:aoWyXhEACEkPu6F+p7w0LmvXvPU= : cdrwa Note that there was no need to repeat the setAcl command, even if the server was restarted in between. I hope this helps. Chris Nauroth On Thu, Jan 6, 2022 at 11:09 AM Enrico Olivelli wrote: > Il Gio 6 Gen 2022, 19:33 rinilnath r ha scritto: > > > Hi, > > > > Thanks for your reply! Really great to see a hand for help > > > > Default means my default node , zookeeper is its name. > > > > Basically, I did these > > > > 1. addauth digest zookeeper: adminpass > > 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa > > > > Now getAcl /zookeeper, shows correctly the users added. > > > > Problem is when I restart zkserver, again I connect zkcli and all are > gone. > > > > getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient > permission > > in 3.6.3 > > > > No clue how to make a persistent set of ACL. > > My security compliance is blocked because of this. > > > > Most of the times it is the Java application that sets the acls while > creating the znode. > I can't check your commands now (because I am out) > > I hope that someone can give more feedback, otherwise I will try to help > next week > > > Enrico > > > > > > > > > Thanks and Regards, > > Rinilnath > > Mobile#9786285451 > > > > On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli, wrote: > > > > > Il Gio 6 Gen 2022, 14:45 rinilnath r ha scritto: > > > > > > > Is this group still valid? > > > > > > > > > > Yes > > > This list is still valid. > > > > > > Probably there are many people still on vacation (like me :) ) > > > > > > Can you please share more information? > > > > > > What is it a 'available zookeeper default node'? > > > > > > How are you setting acls? > > > > > > > > > > > > Enrico > > > > > > > > > I am getting ipage reply for my mail > > > > > > > > Thanks and Regards, > > > > Rinilnath > > > > Mobile#9786285451 > > > > > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, wrote: > > > > > > > > > > > > > > Hi, > > > > > > > > > > I need to enable ACL in all nodes, as per security compliance. > > > > > > > > > > These are the things I tried > > > > > > > > > > 1. addauth digest with specific user > > > > > 2. SetAcl on available default zookeeper node > > > > > > > > > > But after service restart. The getAcl is saying insufficient > > permission > > > > > > > > > > Zookeeper: 3.6.3 > > > > > > > > > > Please help me to do this properly. > > > > > > > > > > Thanks and Regards, > > > > > Rinilnath > > > > > Mobile#9786285451 > > > > > > > > > > > > > > >
Re: Zookeeper on windows standalone
Il Gio 6 Gen 2022, 19:33 rinilnath r ha scritto: > Hi, > > Thanks for your reply! Really great to see a hand for help > > Default means my default node , zookeeper is its name. > > Basically, I did these > > 1. addauth digest zookeeper: adminpass > 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa > > Now getAcl /zookeeper, shows correctly the users added. > > Problem is when I restart zkserver, again I connect zkcli and all are gone. > > getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient permission > in 3.6.3 > > No clue how to make a persistent set of ACL. > My security compliance is blocked because of this. > Most of the times it is the Java application that sets the acls while creating the znode. I can't check your commands now (because I am out) I hope that someone can give more feedback, otherwise I will try to help next week Enrico > > > Thanks and Regards, > Rinilnath > Mobile#9786285451 > > On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli, wrote: > > > Il Gio 6 Gen 2022, 14:45 rinilnath r ha scritto: > > > > > Is this group still valid? > > > > > > > Yes > > This list is still valid. > > > > Probably there are many people still on vacation (like me :) ) > > > > Can you please share more information? > > > > What is it a 'available zookeeper default node'? > > > > How are you setting acls? > > > > > > > > Enrico > > > > > > I am getting ipage reply for my mail > > > > > > Thanks and Regards, > > > Rinilnath > > > Mobile#9786285451 > > > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, wrote: > > > > > > > > > > > Hi, > > > > > > > > I need to enable ACL in all nodes, as per security compliance. > > > > > > > > These are the things I tried > > > > > > > > 1. addauth digest with specific user > > > > 2. SetAcl on available default zookeeper node > > > > > > > > But after service restart. The getAcl is saying insufficient > permission > > > > > > > > Zookeeper: 3.6.3 > > > > > > > > Please help me to do this properly. > > > > > > > > Thanks and Regards, > > > > Rinilnath > > > > Mobile#9786285451 > > > > > > > > > >
Re: Zookeeper on windows standalone
Hi, Thanks for your reply! Really great to see a hand for help Default means my default node , zookeeper is its name. Basically, I did these 1. addauth digest zookeeper: adminpass 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa Now getAcl /zookeeper, shows correctly the users added. Problem is when I restart zkserver, again I connect zkcli and all are gone. getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient permission in 3.6.3 No clue how to make a persistent set of ACL. My security compliance is blocked because of this. Thanks and Regards, Rinilnath Mobile#9786285451 On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli, wrote: > Il Gio 6 Gen 2022, 14:45 rinilnath r ha scritto: > > > Is this group still valid? > > > > Yes > This list is still valid. > > Probably there are many people still on vacation (like me :) ) > > Can you please share more information? > > What is it a 'available zookeeper default node'? > > How are you setting acls? > > > > Enrico > > > I am getting ipage reply for my mail > > > > Thanks and Regards, > > Rinilnath > > Mobile#9786285451 > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, wrote: > > > > > > > > Hi, > > > > > > I need to enable ACL in all nodes, as per security compliance. > > > > > > These are the things I tried > > > > > > 1. addauth digest with specific user > > > 2. SetAcl on available default zookeeper node > > > > > > But after service restart. The getAcl is saying insufficient permission > > > > > > Zookeeper: 3.6.3 > > > > > > Please help me to do this properly. > > > > > > Thanks and Regards, > > > Rinilnath > > > Mobile#9786285451 > > > > > >
Re: Zookeeper on windows standalone
Il Gio 6 Gen 2022, 14:45 rinilnath r ha scritto: > Is this group still valid? > Yes This list is still valid. Probably there are many people still on vacation (like me :) ) Can you please share more information? What is it a 'available zookeeper default node'? How are you setting acls? Enrico I am getting ipage reply for my mail > > Thanks and Regards, > Rinilnath > Mobile#9786285451 > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, wrote: > > > > > Hi, > > > > I need to enable ACL in all nodes, as per security compliance. > > > > These are the things I tried > > > > 1. addauth digest with specific user > > 2. SetAcl on available default zookeeper node > > > > But after service restart. The getAcl is saying insufficient permission > > > > Zookeeper: 3.6.3 > > > > Please help me to do this properly. > > > > Thanks and Regards, > > Rinilnath > > Mobile#9786285451 > > >
Re: Zookeeper on windows standalone
Is this group still valid? I am getting ipage reply for my mail Thanks and Regards, Rinilnath Mobile#9786285451 On Thu, 6 Jan, 2022, 17:58 rinilnath r, wrote: > > Hi, > > I need to enable ACL in all nodes, as per security compliance. > > These are the things I tried > > 1. addauth digest with specific user > 2. SetAcl on available default zookeeper node > > But after service restart. The getAcl is saying insufficient permission > > Zookeeper: 3.6.3 > > Please help me to do this properly. > > Thanks and Regards, > Rinilnath > Mobile#9786285451 >
