Thanks Michael. It worked!
Date: Thu, 2 Oct 2014 13:50:51 -0400
Subject: Re: Removing 'accumulo' from Zookeeper
From: [email protected]
To: [email protected]
I cut and paste a little fast there at the end, so obviously no one outside of
Sqrrl has the "zk-digest.sh" script. Here's that in all its gory detail:
#!/bin/bash
if [ -z ${ZOOKEEPER_HOME} ]; then echo "Set \$ZOOKEEPER_HOME before
running this script" exit 4747fi
if [ -z ${JAVA_HOME} ]; then echo "Set \$JAVA_HOME before running this
script" exit 4747fi
if [ $# -eq 0 ]; then echo "usage: zk-digest.sh <digest string>" echo ""
echo " Utility to produce authentication digests, such as you might see in
ZooKeeper node ACL entries" echo "" echo " Example: zk-digest.sh sqrrl:secret"
exit 4747fi
ZK_CLASSPATH="\${ZOOKEEPER_HOME}/build/classes:\${ZOOKEEPER_HOME}/build/lib/*.jar:\${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:\${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:\${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:\${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:\${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:\${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:\${ZOOKEEPER_HOME}/src/java/lib/*.jar:\${ZOOKEEPER_HOME}/conf\"
${JAVA_HOME}/bin/java -Dzookeeper.log.dir="."
\-Dzookeeper.root.logger="INFO,CONSOLE" \-cp "${ZK_CLASSPATH}"
\-Dcom.sun.management.jmxremote
\-Dcom.sun.management.jmxremote.local.only=false
\org.apache.zookeeper.server.auth.DigestAuthenticationProvider $*
On Thu, Oct 2, 2014 at 1:48 PM, Michael Allen <[email protected]> wrote:
Hi Ranjan. If you're doing this on your own development node, or a production
node you're in full control of, you can add a root password to ZooKeeper in
order to blow away any nodes you like. Here's a little writeup I did about it:
ZooKeeper has security features built into it by way of access control lists
(ACLs) on nodes. Once set, these ACLs can be very hard to get rid of,
especially if errant code has set up nodes that you no longer have any password
for. This how-to guide shows you how to set up a root user inside of ZooKeeper
that can wipe out any ACLed node.Step-by-step guide Stop your currently running
ZooKeeper. This is either a direct $ZOOKEEPER_HOME/bin/zkServer.sh stop
command or a sudo service zookeeper-server stop command on some systest
boxes.Edit zkServer.sh and in the following section:
start)
echo -n "Starting zookeeper ... "
if [ -f $ZOOPIDFILE ]; then
if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
echo $command already running as process `cat $ZOOPIDFILE`.
exit 0
fi
fi
nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
-cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 <
/dev/null &Add the line
-Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
\ within the $JAVA invocation such that the resulting section looks like this:
start)
echo -n "Starting zookeeper ... "
if [ -f $ZOOPIDFILE ]; then
if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
echo $command already running as process `cat $ZOOPIDFILE`.
exit 0
fi
fi
nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
-Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
\
-cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 <
/dev/null &Start ZooKeeper again.Log into ZooKeeper via zkCli.shDeclare
yourself the root user with the following addauth command:
addauth digest super:secret
You should now be able to delete any node and/or change any ACL within the
ZooKeeper system.
Note that you should NOT set this setting up on any production system. If you
need to set up a root user on a production system, you need to create a
different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff above is a
"digest") linked to a better password than "secret". To make your own digest,
use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh script.
On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <[email protected]> wrote:
Accumulo will work properly if you do not clean it before installing, because
each time you init Accumulo it stores the information for the new instance
under a new random uuid. For the purpose of cleaning out old UUIDs, its
possible each old UUID could have been created with a different password.
Maybe thats what happening in your case? I can not remember if the syntax of
your addauth command is correct.
On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <[email protected]> wrote:
Let me describe the scenario. Accumulo was installed earlier but has been
removed now. Before installing Accumulo I want to clean any ZK node related to
it. Below please see the details. I do not have any node called 'instances'
in ZK. As I could not use addauth and remove the nodes, I found some doc on
using skipACL=YES in zookeeper manual and was wondering if that may enable me
to clean. Thanks for looking at it.
<property>
<name>instance.secret</name>
<value>DEFAULT</value>
[zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT
[zk: localhost:2181(CONNECTED) 2] rmr /accumulo
Authentication is not valid :
/accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
[zk: localhost:2181(CONNECTED) 3] ls /
[accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm, brokers,
controller_epoch]
[zk: localhost:2181(CONNECTED) 4] rmr
/accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
Authentication is not valid :
/accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
[zk: localhost:2181(CONNECTED) 15] getAcl
/accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users
'world,'anyone
: r
'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=
: cdrwa
> Date: Wed, 1 Oct 2014 22:29:42 -0400
> From: [email protected]
> To: [email protected]
> Subject: Re: Removing 'accumulo' from Zookeeper
>
> You definitely want "addauth", not "setacl".
>
> "secret" is the value of instance.secret in accumulo-site.xml.
>
> craig w wrote:
> > I'd double check that "secret" is correct and perhaps do you mean to
> > use "addauth"?
> >
> > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hi Accumulo users,
> >
> > I have a accumulo znode that I want to remove from zookeeper. I
> > tried to use the
> >
> > setAcl digest accumulo:secret
> >
> > but it is not working when I try to remove it
> >
> > [zk: localhost:2181(CONNECTED) 11] rmr
> > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
> >
> > Authentication is not valid :
> > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
> >
> >
> > so I was thinking of using skipACL=YES that I saw in the zookeeper
> > documentation. Any idea if this can be used with zkCli.sh?
> >
> >
> > Ranjan
> >
> >
> >
> >
> > --
> > https://github.com/mindscratch
> > https://www.google.com/+CraigWickesser
> > https://twitter.com/mind_scratch
> > https://twitter.com/craig_links
--
Michael Allen
Software Architect | Sqrrl
-----------------------------------
130 Prospect Street | Cambridge, MA 02139
415.699.0106 | www.sqrrl.com
-----------------------------------The information contained in this
communication may be confidential, subject to legal privilege, or otherwise
protected from disclosure, and is intended solely for the use of the intended
recipient(s). If you are not the intended recipient of this communication,
please destroy all copies in your possession, notify the sender that you have
received this communication in error, and note that any review or dissemination
of, or the taking of any action in reliance on, this communication is expressly
prohibited. Please note that sqrrl data, INC. reserves the right to intercept,
monitor, and retain e-mail messages to and from its systems as permitted by
applicable law.
--
Michael Allen
Software Architect | Sqrrl
-----------------------------------
130 Prospect Street | Cambridge, MA 02139
415.699.0106 | www.sqrrl.com
-----------------------------------The information contained in this
communication may be confidential, subject to legal privilege, or otherwise
protected from disclosure, and is intended solely for the use of the intended
recipient(s). If you are not the intended recipient of this communication,
please destroy all copies in your possession, notify the sender that you have
received this communication in error, and note that any review or dissemination
of, or the taking of any action in reliance on, this communication is expressly
prohibited. Please note that sqrrl data, INC. reserves the right to intercept,
monitor, and retain e-mail messages to and from its systems as permitted by
applicable law.
