Many thanks to John. On Mon, Jul 2, 2012 at 11:14 AM, John Sirois <[email protected]> wrote:
> On Sun, Jul 1, 2012 at 4:41 AM, Liwei.Sun <[email protected]> > wrote: > > > It need to restart the zk server to enable the super user, right? If so, > it > > won't help. Because the zk cluster is serving online. We can't stop and > > restart the service. > > > > Assuming you have a quorum of >= 3 nodes, you should be able to slow roll > the nodes to propagate this change to all members and still keep the > cluster on-line as long as clients are properly configured with all quorum > hosts. I changed the zkServer.sh of the observer server, restarted the server and connected to it. The super user works well. I can change the ACL of any nodes. So, my problem is resolved. But if I connect to any other servers with zkCli.sh, the super user does not work. > > > Here are the things I did according to the document, but it didn't work. > > My zk cluster contains 4 machines. I select one of them and change the > > > > This is an aside, but are all 4 quorum peers or is 1 an observer or > read-only node? Typically you'd want an odd number of quorum participating > nodes. > you are right, one of them is observer. > > > > zookeeper/bin/zkCli.sh on it. A new line is added like the following > code: > > > > $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" > > "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \ > > > > > > > "-Dzookeeper.DigestAuthenticationProvider.superDigest='super:VQ6+KW+63miPakJ > > Fh8f+1Gwv62s='" \ // this line is new added > > -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \ > > org.apache.zookeeper.ZooKeeperMain $@ > > > > super:VQ6+KW+63miPakJFh8f+1Gwv62s= is the digest data. > > Then I run ./zkCli.sh to connect to the server, and > > addauth digest super:<password> > > > > But I still can't change the ACL of /Apple/Boy znode because of ACL > > So, I guess I need to restart all the 4 zk servers to make the > > zookeeper.DigestAuthenticationProvider.superDigest property taken into > > effect. > > Am I right? > > > I believe you are (I applied this change to all my quorum peers in a slow > roll and only when complete tried the super user account) - but I have not > either tried just modifying the config for one peer and connecting to it > nor have I read this bit of zk server code. > > > > Liwei > > > > -----邮件原件----- > > 发件人: John Sirois [mailto:[email protected]] > > 发送时间: 2012年6月29日 18:40 > > 收件人: [email protected] > > 抄送: [email protected]; [email protected] > > 主题: Re: Can't remove a znode because of ACL issue. > > > > > > > > Sent from my iPhone > > > > On Jun 29, 2012, at 3:34 AM, sun liwei <[email protected]> wrote: > > > > > I have the following znodes in zk: > > > > > > /Apple/Boy/Cat > > > > > > And the ACL of these three znodes are: > > > > > > / world:anyone:cdrwa > > > /App world:anyone:cdrwa > > > /Apple/Boy world:anyone:cdrwa > > > /Apple/Boy/Cat world:anyone:cdrwa > > > > > > Then I change the ACL of /Apple/Boy znode from cdrwa to r (this is a > > > mistake): > > > > > > / world:anyone:cdrwa > > > /App world:anyone:cdrwa > > > /Apple/Boy world:anyone:r > > > /Apple/Boy/Cat world:anyone:cdrwa > > > > > > Now, I have a problem to delete the /Apple/Boy znode. Before > > > /Apple/Boy is deleted, I should delete /Apple/Boy/Cat, but > > > /Apple/Boy/Cat can't be deleted according to the ACL of /Apple/Boy > which > > is 'r' (readonly). > > > > > > So, is there any way to delete the znode /Apple/Boy or recovery the > > > its ACL to 'cdrwa'? > > > > You can fabricate super user credentials and then enable the super user > in > > your cluster's configs. After rolling the cluster you can authenticate > as > > super and then do as you will with any node. See > > > http://zookeeper.apache.org/doc/r3.2.2/zookeeperAdmin.html#sc_authOptions > > > > > > > > Thanks in advance. > > > Liwei > > > > >
