Michael,
These are great ZK instructions. Have you considered contributing them to
the project upstream? We can converse about this off-list if you'd prefer,
since it's not particularly germane to this topic.
Mike
On Thu, Oct 2, 2014 at 12:50 PM, Michael Allen <mich...@sqrrl.com> wrote:
> I cut and paste a little fast there at the end, so obviously no one
> outside of Sqrrl has the "zk-digest.sh" script. Here's that in all its
> gory detail:
>
> #!/bin/bash
>
> if [ -z ${ZOOKEEPER_HOME} ]; then
> echo "Set \$ZOOKEEPER_HOME before running this script"
> exit 4747
> fi
>
> if [ -z ${JAVA_HOME} ]; then
> echo "Set \$JAVA_HOME before running this script"
> exit 4747
> fi
>
> if [ $# -eq 0 ]; then
> echo "usage: zk-digest.sh <digest string>"
> echo ""
> echo " Utility to produce authentication digests, such as you might see
> in ZooKeeper node ACL entries"
> echo ""
> echo " Example: zk-digest.sh sqrrl:secret"
> exit 4747
> fi
>
> ZK_CLASSPATH="\
> ${ZOOKEEPER_HOME}/build/classes:\
> ${ZOOKEEPER_HOME}/build/lib/*.jar:\
> ${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:\
> ${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:\
> ${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:\
> ${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:\
> ${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:\
> ${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:\
> ${ZOOKEEPER_HOME}/src/java/lib/*.jar:\
> ${ZOOKEEPER_HOME}/conf\
> "
>
> ${JAVA_HOME}/bin/java -Dzookeeper.log.dir="." \
> -Dzookeeper.root.logger="INFO,CONSOLE" \
> -cp "${ZK_CLASSPATH}" \
> -Dcom.sun.management.jmxremote \
> -Dcom.sun.management.jmxremote.local.only=false \
> org.apache.zookeeper.server.auth.DigestAuthenticationProvider $*
>
> On Thu, Oct 2, 2014 at 1:48 PM, Michael Allen <mich...@sqrrl.com> wrote:
>
>> Hi Ranjan. If you're doing this on your own development node, or a
>> production node you're in full control of, you can add a root password to
>> ZooKeeper in order to blow away any nodes you like. Here's a little writeup
>> I did about it:
>>
>> ZooKeeper has security features built into it by way of access control
>> lists (ACLs) on nodes. Once set, these ACLs can be very hard to get rid
>> of, especially if errant code has set up nodes that you no longer have any
>> password for. This how-to guide shows you how to set up a root user inside
>> of ZooKeeper that can wipe out any ACLed node.
>> Step-by-step guide
>>
>>
>>
>> 1. Stop your currently running ZooKeeper. This is either a direct
>> $ZOOKEEPER_HOME/bin/zkServer.sh
>> stop command or a sudo service zookeeper-server stop command on some
>> systest boxes.
>> 2.
>>
>> Edit zkServer.sh and in the following section:
>>
>> start)
>> echo -n "Starting zookeeper ... "
>> if [ -f $ZOOPIDFILE ]; then
>> if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
>> echo $command already running as process `cat $ZOOPIDFILE`.
>> exit 0
>> fi
>> fi
>> nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
>> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
>> -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT"
>> 2>&1 < /dev/null &
>>
>> Add the line
>> -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
>> \ within the $JAVA invocation such that the resulting section looks
>> like this:
>>
>> start)
>> echo -n "Starting zookeeper ... "
>> if [ -f $ZOOPIDFILE ]; then
>> if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then
>> echo $command already running as process `cat $ZOOPIDFILE`.
>> exit 0
>> fi
>> fi
>> nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
>> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
>>
>> -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4=
>> \
>> -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT"
>> 2>&1 < /dev/null &
>>
>> 3. Start ZooKeeper again.
>> 4. Log into ZooKeeper via zkCli.sh
>> 5. Declare yourself the root user with the following addauth command:
>>
>> addauth digest super:secret
>>
>> 6. You should now be able to delete any node and/or change any ACL
>> within the ZooKeeper system.
>>
>>
>> Note that you should *NOT* set this setting up on any production
>> system. If you need to set up a root user on a production system, you need
>> to create a different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff
>> above is a "digest") linked to a better password than "secret". To make
>> your own digest, use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh
>> script.
>>
>> On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <ke...@deenlo.com> wrote:
>>
>>> Accumulo will work properly if you do not clean it before installing,
>>> because each time you init Accumulo it stores the information for the new
>>> instance under a new random uuid. For the purpose of cleaning out old
>>> UUIDs, its possible each old UUID could have been created with a different
>>> password. Maybe thats what happening in your case? I can not remember if
>>> the syntax of your addauth command is correct.
>>>
>>>
>>> On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <ranjan_...@hotmail.com>
>>> wrote:
>>>
>>>> Let me describe the scenario. Accumulo was installed earlier but has
>>>> been removed now. Before installing Accumulo I want to clean any ZK node
>>>> related to it. Below please see the details. I do not have any node
>>>> called 'instances' in ZK. As I could not use addauth and remove the nodes,
>>>> I found some doc on using skipACL=YES in zookeeper manual and was wondering
>>>> if that may enable me to clean. Thanks for looking at it.
>>>>
>>>> <property>
>>>>
>>>> <name>instance.secret</name>
>>>>
>>>> <value>DEFAULT</value>
>>>>
>>>>
>>>> [zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT
>>>>
>>>> [zk: localhost:2181(CONNECTED) 2] rmr /accumulo
>>>>
>>>> Authentication is not valid :
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>>
>>>> [zk: localhost:2181(CONNECTED) 3] ls /
>>>>
>>>> [accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm,
>>>> brokers, controller_epoch]
>>>>
>>>> [zk: localhost:2181(CONNECTED) 4] rmr
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>>
>>>> Authentication is not valid :
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>>
>>>>
>>>> [zk: localhost:2181(CONNECTED) 15] getAcl
>>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users
>>>>
>>>> 'world,'anyone
>>>>
>>>> : r
>>>>
>>>> 'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=
>>>>
>>>> : cdrwa
>>>>
>>>>
>>>>
>>>>
>>>> > Date: Wed, 1 Oct 2014 22:29:42 -0400
>>>> > From: josh.el...@gmail.com
>>>> > To: user@accumulo.apache.org
>>>> > Subject: Re: Removing 'accumulo' from Zookeeper
>>>>
>>>> >
>>>> > You definitely want "addauth", not "setacl".
>>>> >
>>>> > "secret" is the value of instance.secret in accumulo-site.xml.
>>>> >
>>>> > craig w wrote:
>>>> > > I'd double check that "secret" is correct and perhaps do you mean
>>>> to
>>>> > > use "addauth"?
>>>> > >
>>>> > > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <ranjan_...@hotmail.com
>>>> > > <mailto:ranjan_...@hotmail.com>> wrote:
>>>> > >
>>>> > > Hi Accumulo users,
>>>> > >
>>>> > > I have a accumulo znode that I want to remove from zookeeper. I
>>>> > > tried to use the
>>>> > >
>>>> > > setAcl digest accumulo:secret
>>>> > >
>>>> > > but it is not working when I try to remove it
>>>> > >
>>>> > > [zk: localhost:2181(CONNECTED) 11] rmr
>>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>> > >
>>>> > > Authentication is not valid :
>>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root
>>>> > >
>>>> > >
>>>> > > so I was thinking of using skipACL=YES that I saw in the zookeeper
>>>> > > documentation. Any idea if this can be used with zkCli.sh?
>>>> > >
>>>> > >
>>>> > > Ranjan
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > https://github.com/mindscratch
>>>> > > https://www.google.com/+CraigWickesser
>>>> > > https://twitter.com/mind_scratch
>>>> > > https://twitter.com/craig_links
>>>>
>>>
>>>
>>
>>
>> --
>>
>> *Michael Allen*
>> Software Architect | Sqrrl-----------------------------------130 Prospect
>> Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com
>> -----------------------------------
>>
>> The information contained in this communication may be confidential, subject
>> to legal privilege, or otherwise protected from disclosure, and is intended
>> solely for the use of the intended recipient(s). If you are not the intended
>> recipient of this communication, please destroy all copies in your
>> possession, notify the sender that you have received this communication in
>> error, and note that any review or dissemination of, or the taking of any
>> action in reliance on, this communication is expressly prohibited. Please
>> note that sqrrl data, INC. reserves the right to intercept, monitor, and
>> retain e-mail messages to and from its systems as permitted by applicable
>> law.
>>
>>
>
>
> --
>
> *Michael Allen*
> Software Architect | Sqrrl-----------------------------------130 Prospect
> Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com
> -----------------------------------
>
> The information contained in this communication may be confidential, subject
> to legal privilege, or otherwise protected from disclosure, and is intended
> solely for the use of the intended recipient(s). If you are not the intended
> recipient of this communication, please destroy all copies in your
> possession, notify the sender that you have received this communication in
> error, and note that any review or dissemination of, or the taking of any
> action in reliance on, this communication is expressly prohibited. Please
> note that sqrrl data, INC. reserves the right to intercept, monitor, and
> retain e-mail messages to and from its systems as permitted by applicable law.
>
>
