Yes Chris!. Some how I managed to solve the problem of enabling ACL in all nodes after I set the auth scheme recursively from root.
I was in thought that insufficient permission in second session of cli meant that it loses all auth users we set early in first session before restart. Hence I used skipACL flag and set all user for all nodes this time no more insufficient permission error in any sessions. The vulnerability was also solved. Thanks and Regards, Rinilnath Mobile#9786285451 On Tue, 11 Jan, 2022, 00:58 Chris Nauroth, <cnaur...@apache.org> wrote: > Hello Rinilnath, > > I think the reason for "insufficient permission" (on ZooKeeper 3.6.3) is > not that the ACL isn't persistent across restarts. Instead, I think it's > because in your second session (second invocation of zkCli), you are not > authenticating before calling getAcl. Since you are no longer authenticated > as the "zookeeper" user, the server is correctly enforcing the ACL that was > created during the first session. > > If you repeat the addauth at the start of your second session/second zkCli, > then I expect it will work, and you'll be able to see the ACL that was > created in the first session. > > Example: > > [zk: localhost:2181(CONNECTED) 0] getAcl /zookeeper > Insufficient permission : /zookeeper > [zk: localhost:2181(CONNECTED) 1] addauth digest zookeeper:password > [zk: localhost:2181(CONNECTED) 2] getAcl /zookeeper > 'digest,'zookeeper:aoWyXhEACEkPu6F+p7w0LmvXvPU= > : cdrwa > > Note that there was no need to repeat the setAcl command, even if the > server was restarted in between. > > I hope this helps. > > Chris Nauroth > > > On Thu, Jan 6, 2022 at 11:09 AM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > Il Gio 6 Gen 2022, 19:33 rinilnath r <riniln...@gmail.com> ha scritto: > > > > > Hi, > > > > > > Thanks for your reply! Really great to see a hand for help 😊 > > > > > > Default means my default node , zookeeper is its name. > > > > > > Basically, I did these > > > > > > 1. addauth digest zookeeper: adminpass > > > 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa > > > > > > Now getAcl /zookeeper, shows correctly the users added. > > > > > > Problem is when I restart zkserver, again I connect zkcli and all are > > gone. > > > > > > getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient > > permission > > > in 3.6.3 > > > > > > No clue how to make a persistent set of ACL. > > > My security compliance is blocked because of this. > > > > > > > Most of the times it is the Java application that sets the acls while > > creating the znode. > > I can't check your commands now (because I am out) > > > > I hope that someone can give more feedback, otherwise I will try to help > > next week > > > > > > Enrico > > > > > > > > > > > > > > > Thanks and Regards, > > > Rinilnath > > > Mobile#9786285451 > > > > > > On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli, <eolive...@gmail.com> > wrote: > > > > > > > Il Gio 6 Gen 2022, 14:45 rinilnath r <riniln...@gmail.com> ha > scritto: > > > > > > > > > Is this group still valid? > > > > > > > > > > > > > Yes > > > > This list is still valid. > > > > > > > > Probably there are many people still on vacation (like me :) ) > > > > > > > > Can you please share more information? > > > > > > > > What is it a 'available zookeeper default node'? > > > > > > > > How are you setting acls? > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > I am getting ipage reply for my mail > > > > > > > > > > Thanks and Regards, > > > > > Rinilnath > > > > > Mobile#9786285451 > > > > > > > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, <riniln...@gmail.com> > wrote: > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > I need to enable ACL in all nodes, as per security compliance. > > > > > > > > > > > > These are the things I tried > > > > > > > > > > > > 1. addauth digest with specific user > > > > > > 2. SetAcl on available default zookeeper node > > > > > > > > > > > > But after service restart. The getAcl is saying insufficient > > > permission > > > > > > > > > > > > Zookeeper: 3.6.3 > > > > > > > > > > > > Please help me to do this properly. > > > > > > > > > > > > Thanks and Regards, > > > > > > Rinilnath > > > > > > Mobile#9786285451 > > > > > > > > > > > > > > > > > > > > >
