I cut and paste a little fast there at the end, so obviously no one outside
of Sqrrl has the "zk-digest.sh" script. Here's that in all its gory
detail:
#!/bin/bash
if [ -z ${ZOOKEEPER_HOME} ]; then
echo "Set \$ZOOKEEPER_HOME before running this script"
exit 4747
fi
if [ -z ${JAVA_HOME} ]; then
echo "Set \$JAVA_HOME before running this script"
exit 4747
fi
if [ $# -eq 0 ]; then
echo "usage: zk-digest.sh <digest string>"
echo ""
echo " Utility to produce authentication digests, such as you might see in
ZooKeeper node ACL entries"
echo ""
echo " Example: zk-digest.sh sqrrl:secret"
exit 4747
fi
ZK_CLASSPATH="\
${ZOOKEEPER_HOME}/build/classes:\
${ZOOKEEPER_HOME}/build/lib/*.jar:\
${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:\
${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:\
${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:\
${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:\
${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:\
${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:\
${ZOOKEEPER_HOME}/src/java/lib/*.jar:\
${ZOOKEEPER_HOME}/conf\
"
${JAVA_HOME}/bin/java -Dzookeeper.log.dir="." \
-Dzookeeper.root.logger="INFO,CONSOLE" \
-cp "${ZK_CLASSPATH}" \
-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.local.only=false \
org.apache.zookeeper.server.auth.DigestAuthenticationProvider $*
On Thu, Oct 2, 2014 at 1:48 PM, Michael Allen <mich...@sqrrl.com> wrote:
> Hi Ranjan. If you're doing this on your own development node, or a
> production node you're in full control of, you can add a root password to
> ZooKeeper in order to blow away any nodes you like. Here's a little writeup
> I did about it:
>
> ZooKeeper has security features built into it by way of access control
> lists (ACLs) on nodes. Once set, these ACLs can be very hard to get rid
> of, especially if errant code has set up nodes that you no longer have any
> password for. This how-to guide shows you how to set up a root user inside
> of ZooKeeper that can wipe out any ACLed node.
> Step-by-step guide
>
>
>
> 1. Stop your currently running ZooKeeper. This is either a direct
> $ZOOKEEPER_HOME/bin/zkServer.sh
> stop command or a sudo service zookeeper-server stop command on some
> systest boxes.
> 2.
>
> Edit zkServer.sh and in the following section:
>
> start)
> echo -n "Starting zookeeper ... "
> if [ -f $ZOOPIDFILE ]; then
> if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
> echo $command already running as process `cat $ZOOPIDFILE`.
> exit 0
> fi
> fi
> nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
> -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT"
> 2>&1 < /dev/null &
>
> Add the line
> -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
> \ within the $JAVA invocation such that the resulting section looks
> like this:
>
> start)
> echo -n "Starting zookeeper ... "
> if [ -f $ZOOPIDFILE ]; then
> if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
> echo $command already running as process `cat $ZOOPIDFILE`.
> exit 0
> fi
> fi
> nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
>
> -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
> \
> -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT"
> 2>&1 < /dev/null &
>
> 3. Start ZooKeeper again.
> 4. Log into ZooKeeper via zkCli.sh
> 5. Declare yourself the root user with the following addauth command:
>
> addauth digest super:secret
>
> 6. You should now be able to delete any node and/or change any ACL
> within the ZooKeeper system.
>
>
> Note that you should *NOT* set this setting up on any production system.
> If you need to set up a root user on a production system, you need to
> create a different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff
> above is a "digest") linked to a better password than "secret". To make
> your own digest, use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh
> script.
>
> On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <ke...@deenlo.com> wrote:
>
>> Accumulo will work properly if you do not clean it before installing,
>> because each time you init Accumulo it stores the information for the new
>> instance under a new random uuid. For the purpose of cleaning out old
>> UUIDs, its possible each old UUID could have been created with a different
>> password. Maybe thats what happening in your case? I can not remember if
>> the syntax of your addauth command is correct.
>>
>>
>> On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <ranjan_...@hotmail.com>
>> wrote:
>>
>>> Let me describe the scenario. Accumulo was installed earlier but has
>>> been removed now. Before installing Accumulo I want to clean any ZK node
>>> related to it. Below please see the details. I do not have any node
>>> called 'instances' in ZK. As I could not use addauth and remove the nodes,
>>> I found some doc on using skipACL=YES in zookeeper manual and was wondering
>>> if that may enable me to clean. Thanks for looking at it.
>>>
>>> <property>
>>>
>>> <name>instance.secret</name>
>>>
>>> <value>DEFAULT</value>
>>>
>>>
>>> [zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT
>>>
>>> [zk: localhost:2181(CONNECTED) 2] rmr /accumulo
>>>
>>> Authentication is not valid :
>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>
>>> [zk: localhost:2181(CONNECTED) 3] ls /
>>>
>>> [accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm,
>>> brokers, controller_epoch]
>>>
>>> [zk: localhost:2181(CONNECTED) 4] rmr
>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>
>>> Authentication is not valid :
>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>
>>>
>>> [zk: localhost:2181(CONNECTED) 15] getAcl
>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users
>>>
>>> 'world,'anyone
>>>
>>> : r
>>>
>>> 'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=
>>>
>>> : cdrwa
>>>
>>>
>>>
>>>
>>> > Date: Wed, 1 Oct 2014 22:29:42 -0400
>>> > From: josh.el...@gmail.com
>>> > To: user@accumulo.apache.org
>>> > Subject: Re: Removing 'accumulo' from Zookeeper
>>>
>>> >
>>> > You definitely want "addauth", not "setacl".
>>> >
>>> > "secret" is the value of instance.secret in accumulo-site.xml.
>>> >
>>> > craig w wrote:
>>> > > I'd double check that "secret" is correct and perhaps do you mean to
>>> > > use "addauth"?
>>> > >
>>> > > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <ranjan_...@hotmail.com
>>> > > <mailto:ranjan_...@hotmail.com>> wrote:
>>> > >
>>> > > Hi Accumulo users,
>>> > >
>>> > > I have a accumulo znode that I want to remove from zookeeper. I
>>> > > tried to use the
>>> > >
>>> > > setAcl digest accumulo:secret
>>> > >
>>> > > but it is not working when I try to remove it
>>> > >
>>> > > [zk: localhost:2181(CONNECTED) 11] rmr
>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>> > >
>>> > > Authentication is not valid :
>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>> > >
>>> > >
>>> > > so I was thinking of using skipACL=YES that I saw in the zookeeper
>>> > > documentation. Any idea if this can be used with zkCli.sh?
>>> > >
>>> > >
>>> > > Ranjan
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > https://github.com/mindscratch
>>> > > https://www.google.com/+CraigWickesser
>>> > > https://twitter.com/mind_scratch
>>> > > https://twitter.com/craig_links
>>>
>>
>>
>
>
> --
>
> *Michael Allen*
> Software Architect | Sqrrl-----------------------------------130 Prospect
> Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com
> -----------------------------------
>
> The information contained in this communication may be confidential, subject
> to legal privilege, or otherwise protected from disclosure, and is intended
> solely for the use of the intended recipient(s). If you are not the intended
> recipient of this communication, please destroy all copies in your
> possession, notify the sender that you have received this communication in
> error, and note that any review or dissemination of, or the taking of any
> action in reliance on, this communication is expressly prohibited. Please
> note that sqrrl data, INC. reserves the right to intercept, monitor, and
> retain e-mail messages to and from its systems as permitted by applicable law.
>
>
--
*Michael Allen*
Software Architect | Sqrrl-----------------------------------130
Prospect Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com
-----------------------------------
The information contained in this communication may be confidential,
subject to legal privilege, or otherwise protected from disclosure,
and is intended solely for the use of the intended recipient(s). If
you are not the intended recipient of this communication, please
destroy all copies in your possession, notify the sender that you have
received this communication in error, and note that any review or
dissemination of, or the taking of any action in reliance on, this
communication is expressly prohibited. Please note that sqrrl data,
INC. reserves the right to intercept, monitor, and retain e-mail
messages to and from its systems as permitted by applicable law.
