On Sun, Jul 1, 2012 at 4:41 AM, Liwei.Sun <[email protected]> wrote:
> It need to restart the zk server to enable the super user, right? If so, it
> won't help. Because the zk cluster is serving online. We can't stop and
> restart the service.
>
Assuming you have a quorum of >= 3 nodes, you should be able to slow roll
the nodes to propagate this change to all members and still keep the
cluster on-line as long as clients are properly configured with all quorum
hosts.
> Here are the things I did according to the document, but it didn't work.
> My zk cluster contains 4 machines. I select one of them and change the
>
This is an aside, but are all 4 quorum peers or is 1 an observer or
read-only node? Typically you'd want an odd number of quorum participating
nodes.
> zookeeper/bin/zkCli.sh on it. A new line is added like the following code:
>
> $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
>
>
> "-Dzookeeper.DigestAuthenticationProvider.superDigest='super:VQ6+KW+63miPakJ
> Fh8f+1Gwv62s='" \ // this line is new added
> -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
> org.apache.zookeeper.ZooKeeperMain $@
>
> super:VQ6+KW+63miPakJFh8f+1Gwv62s= is the digest data.
> Then I run ./zkCli.sh to connect to the server, and
> addauth digest super:<password>
>
> But I still can't change the ACL of /Apple/Boy znode because of ACL
> So, I guess I need to restart all the 4 zk servers to make the
> zookeeper.DigestAuthenticationProvider.superDigest property taken into
> effect.
> Am I right?
I believe you are (I applied this change to all my quorum peers in a slow
roll and only when complete tried the super user account) - but I have not
either tried just modifying the config for one peer and connecting to it
nor have I read this bit of zk server code.
> Liwei
>
> -----邮件原件-----
> 发件人: John Sirois [mailto:[email protected]]
> 发送时间: 2012年6月29日 18:40
> 收件人: [email protected]
> 抄送: [email protected]; [email protected]
> 主题: Re: Can't remove a znode because of ACL issue.
>
>
>
> Sent from my iPhone
>
> On Jun 29, 2012, at 3:34 AM, sun liwei <[email protected]> wrote:
>
> > I have the following znodes in zk:
> >
> > /Apple/Boy/Cat
> >
> > And the ACL of these three znodes are:
> >
> > / world:anyone:cdrwa
> > /App world:anyone:cdrwa
> > /Apple/Boy world:anyone:cdrwa
> > /Apple/Boy/Cat world:anyone:cdrwa
> >
> > Then I change the ACL of /Apple/Boy znode from cdrwa to r (this is a
> > mistake):
> >
> > / world:anyone:cdrwa
> > /App world:anyone:cdrwa
> > /Apple/Boy world:anyone:r
> > /Apple/Boy/Cat world:anyone:cdrwa
> >
> > Now, I have a problem to delete the /Apple/Boy znode. Before
> > /Apple/Boy is deleted, I should delete /Apple/Boy/Cat, but
> > /Apple/Boy/Cat can't be deleted according to the ACL of /Apple/Boy which
> is 'r' (readonly).
> >
> > So, is there any way to delete the znode /Apple/Boy or recovery the
> > its ACL to 'cdrwa'?
>
> You can fabricate super user credentials and then enable the super user in
> your cluster's configs. After rolling the cluster you can authenticate as
> super and then do as you will with any node. See
> http://zookeeper.apache.org/doc/r3.2.2/zookeeperAdmin.html#sc_authOptions
>
> >
> > Thanks in advance.
> > Liwei
>
>
