FWIW - I've had this PR out for a while that makes this situation a lot easier by adding an override. I'd love to see this merged:
https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779 <https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-2779> -Jordan > On Oct 18, 2017, at 2:29 AM, Michael Han <[email protected]> wrote: > >>> The way this is set up it seems only a superuser enabled cluster can use > the reconfig command. > > You can also configure the ACL associated with the "/config" znode so your > chosen users have permission to both read and write the config znode, after > they are authenticated (using your favorite authentication scheme built in > ZK, such as SASL). This way you don't have to operate under the credential > of superuser. By default, in 3.5.3 beta the "/config" znode is read only, > which effectively disables reconfig API except for superuser who does not > subject to ACL check. > > On Tue, Oct 17, 2017 at 4:36 PM, Alexander Shraer <[email protected]> wrote: > >> Hi, >> >> Please look for "sc_reconfig_access_control" >> Here: >> https://github.com/apache/zookeeper/blob/master/docs/ >> zookeeperReconfig.html >> >> Thanks, >> Alex >> >> On Tue, Oct 17, 2017 at 3:18 AM, oo4load <[email protected]> wrote: >> >>> I have a 3.5.3 cluster where I am trying out the reconfig command. I am >>> running with reconfigEnabled=true. >>> When I try reconfig I run into an issue with ACL. >>> >>> [zk: localhost:2181(CONNECTED) 9] reconfig -remove 2 >>> Authentication is not valid : >>> >>> The config node is protected: >>> [zk: localhost:2181(CONNECTED) 6] getAcl /zookeeper/config >>> 'world,'anyone >>> : r >>> >>> >>> The way this is set up it seems only a superuser enabled cluster can use >>> the >>> reconfig command. Is that true, or am I missing something ? The >>> documentation never mentioned it. >>> >>> >>> >>> >>> -- >>> Sent from: http://zookeeper-user.578899.n2.nabble.com/ >>> >>
