Let me explain the whole concept of ZooKeeper Acls.
1) Zookeeper servers are run using some user id say X
2) zookeeper client use ZooKeeper client libaryr to create zookeeper nodes
on zookeeper servers. They could be running as user id C. They can provide
acl's to create such nodes for there accessability restrictions. These ACL's
have NOTHING to do with (user id X) or user id C. The access controls are
intependent of any user id the client is running with or the server is
3) A user X can obviously create zookeeper database since he has access to
the local filesystem data that zookeeper is snapshots/txns into.
Hope this helps.
On 6/25/09 11:20 AM, "Harold Lim" <rold...@yahoo.com> wrote:
> Hi Henry,
> Does that mean for example, if I own the Zookeeper server and physical machine
> and have lots of clients using this Zookeeper server, I can simply look at the
> logfiles and snapshot files and see all of the information created by those
> --- On Thu, 6/25/09, Henry Robinson <he...@cloudera.com> wrote:
>> From: Henry Robinson <he...@cloudera.com>
>> Subject: Re: General Question about Zookeeper
>> To: firstname.lastname@example.org
>> Date: Thursday, June 25, 2009, 2:01 PM
>> Hi Harold,
>> Each ZooKeeper server stores updates to znodes in logfiles,
>> and periodic
>> snapshots of the state of the datatree in snapshot files.
>> A user who has the same permissions as the server will be
>> able to read these
>> files, and can therefore recover the state of the datatree
>> without the ZK
>> server intervening. ACLs are applied only by the server;
>> there is no
>> filesystem-level representation of them.
>> On Thu, Jun 25, 2009 at 6:48 PM, Harold Lim <rold...@yahoo.com>
>>> Hi All,
>>> How does zookeeper store data/files?
>>> From reading the doc, the clients can put ACL on
>> files/znodes to limit
>>> read/write/create of other clients. However, I was
>> wondering how are these
>>> znodes stored on Zookeeper servers?
>>> I am interested in a security aspect of zookeeper,
>> where the clients and
>>> the servers don't necessarily belong to the same
>> "group". If a client
>>> creates a znode in the zookeeper? Can the person, who
>> owns the zookeeper
>>> server, simply look at its filesystem and read the
>> data (out-of-band, not
>>> using a client, simply browsing the file system of the
>> machine hosting the
>>> zookeeper server)?