Michael, These are great ZK instructions. Have you considered contributing them to the project upstream? We can converse about this off-list if you'd prefer, since it's not particularly germane to this topic.
Mike On Thu, Oct 2, 2014 at 12:50 PM, Michael Allen <mich...@sqrrl.com> wrote: > I cut and paste a little fast there at the end, so obviously no one > outside of Sqrrl has the "zk-digest.sh" script. Here's that in all its > gory detail: > > #!/bin/bash > > if [ -z ${ZOOKEEPER_HOME} ]; then > echo "Set \$ZOOKEEPER_HOME before running this script" > exit 4747 > fi > > if [ -z ${JAVA_HOME} ]; then > echo "Set \$JAVA_HOME before running this script" > exit 4747 > fi > > if [ $# -eq 0 ]; then > echo "usage: zk-digest.sh <digest string>" > echo "" > echo " Utility to produce authentication digests, such as you might see > in ZooKeeper node ACL entries" > echo "" > echo " Example: zk-digest.sh sqrrl:secret" > exit 4747 > fi > > ZK_CLASSPATH="\ > ${ZOOKEEPER_HOME}/build/classes:\ > ${ZOOKEEPER_HOME}/build/lib/*.jar:\ > ${ZOOKEEPER_HOME}/lib/slf4j-log4j12-1.6.1.jar:\ > ${ZOOKEEPER_HOME}/lib/slf4j-api-1.6.1.jar:\ > ${ZOOKEEPER_HOME}/lib/netty-3.2.2.Final.jar:\ > ${ZOOKEEPER_HOME}/lib/log4j-1.2.15.jar:\ > ${ZOOKEEPER_HOME}/lib/jline-0.9.94.jar:\ > ${ZOOKEEPER_HOME}/zookeeper-3.4.5.jar:\ > ${ZOOKEEPER_HOME}/src/java/lib/*.jar:\ > ${ZOOKEEPER_HOME}/conf\ > " > > ${JAVA_HOME}/bin/java -Dzookeeper.log.dir="." \ > -Dzookeeper.root.logger="INFO,CONSOLE" \ > -cp "${ZK_CLASSPATH}" \ > -Dcom.sun.management.jmxremote \ > -Dcom.sun.management.jmxremote.local.only=false \ > org.apache.zookeeper.server.auth.DigestAuthenticationProvider $* > > On Thu, Oct 2, 2014 at 1:48 PM, Michael Allen <mich...@sqrrl.com> wrote: > >> Hi Ranjan. If you're doing this on your own development node, or a >> production node you're in full control of, you can add a root password to >> ZooKeeper in order to blow away any nodes you like. Here's a little writeup >> I did about it: >> >> ZooKeeper has security features built into it by way of access control >> lists (ACLs) on nodes. Once set, these ACLs can be very hard to get rid >> of, especially if errant code has set up nodes that you no longer have any >> password for. This how-to guide shows you how to set up a root user inside >> of ZooKeeper that can wipe out any ACLed node. >> Step-by-step guide >> >> >> >> 1. Stop your currently running ZooKeeper. This is either a direct >> $ZOOKEEPER_HOME/bin/zkServer.sh >> stop command or a sudo service zookeeper-server stop command on some >> systest boxes. >> 2. >> >> Edit zkServer.sh and in the following section: >> >> start) >> echo -n "Starting zookeeper ... " >> if [ -f $ZOOPIDFILE ]; then >> if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then >> echo $command already running as process `cat $ZOOPIDFILE`. >> exit 0 >> fi >> fi >> nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" >> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \ >> -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" >> 2>&1 < /dev/null & >> >> Add the line >> -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4= >> \ within the $JAVA invocation such that the resulting section looks >> like this: >> >> start) >> echo -n "Starting zookeeper ... " >> if [ -f $ZOOPIDFILE ]; then >> if kill -0 `cat $ZOOPIDFILE` > /dev/null 2>&1; then >> echo $command already running as process `cat $ZOOPIDFILE`. >> exit 0 >> fi >> fi >> nohup $JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" >> "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \ >> >> -Dzookeeper.DigestAuthenticationProvider.superDigest=super:lK75jTNcA+U9vtVEw5vB51mj/w4= >> \ >> -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" >> 2>&1 < /dev/null & >> >> 3. Start ZooKeeper again. >> 4. Log into ZooKeeper via zkCli.sh >> 5. Declare yourself the root user with the following addauth command: >> >> addauth digest super:secret >> >> 6. You should now be able to delete any node and/or change any ACL >> within the ZooKeeper system. >> >> >> Note that you should *NOT* set this setting up on any production >> system. If you need to set up a root user on a production system, you need >> to create a different digest (the super:lK75jTNcA+U9vtVEw5vB51mj/w4=stuff >> above is a "digest") linked to a better password than "secret". To make >> your own digest, use the $SQRRL_HOME/tools/useful-scripts/zk-digest.sh >> script. >> >> On Thu, Oct 2, 2014 at 11:39 AM, Keith Turner <ke...@deenlo.com> wrote: >> >>> Accumulo will work properly if you do not clean it before installing, >>> because each time you init Accumulo it stores the information for the new >>> instance under a new random uuid. For the purpose of cleaning out old >>> UUIDs, its possible each old UUID could have been created with a different >>> password. Maybe thats what happening in your case? I can not remember if >>> the syntax of your addauth command is correct. >>> >>> >>> On Wed, Oct 1, 2014 at 11:06 PM, Ranjan Sen <ranjan_...@hotmail.com> >>> wrote: >>> >>>> Let me describe the scenario. Accumulo was installed earlier but has >>>> been removed now. Before installing Accumulo I want to clean any ZK node >>>> related to it. Below please see the details. I do not have any node >>>> called 'instances' in ZK. As I could not use addauth and remove the nodes, >>>> I found some doc on using skipACL=YES in zookeeper manual and was wondering >>>> if that may enable me to clean. Thanks for looking at it. >>>> >>>> <property> >>>> >>>> <name>instance.secret</name> >>>> >>>> <value>DEFAULT</value> >>>> >>>> >>>> [zk: localhost:2181(CONNECTED) 1] addauth digest accumulo:DEFAULT >>>> >>>> [zk: localhost:2181(CONNECTED) 2] rmr /accumulo >>>> >>>> Authentication is not valid : >>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root >>>> >>>> [zk: localhost:2181(CONNECTED) 3] ls / >>>> >>>> [accumulo, admin, zookeeper, consumers, config, hbase-unsecure, storm, >>>> brokers, controller_epoch] >>>> >>>> [zk: localhost:2181(CONNECTED) 4] rmr >>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root >>>> >>>> Authentication is not valid : >>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root >>>> >>>> >>>> [zk: localhost:2181(CONNECTED) 15] getAcl >>>> /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users >>>> >>>> 'world,'anyone >>>> >>>> : r >>>> >>>> 'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE= >>>> >>>> : cdrwa >>>> >>>> >>>> >>>> >>>> > Date: Wed, 1 Oct 2014 22:29:42 -0400 >>>> > From: josh.el...@gmail.com >>>> > To: user@accumulo.apache.org >>>> > Subject: Re: Removing 'accumulo' from Zookeeper >>>> >>>> > >>>> > You definitely want "addauth", not "setacl". >>>> > >>>> > "secret" is the value of instance.secret in accumulo-site.xml. >>>> > >>>> > craig w wrote: >>>> > > I'd double check that "secret" is correct and perhaps do you mean >>>> to >>>> > > use "addauth"? >>>> > > >>>> > > On Wed, Oct 1, 2014 at 8:10 PM, Ranjan Sen <ranjan_...@hotmail.com >>>> > > <mailto:ranjan_...@hotmail.com>> wrote: >>>> > > >>>> > > Hi Accumulo users, >>>> > > >>>> > > I have a accumulo znode that I want to remove from zookeeper. I >>>> > > tried to use the >>>> > > >>>> > > setAcl digest accumulo:secret >>>> > > >>>> > > but it is not working when I try to remove it >>>> > > >>>> > > [zk: localhost:2181(CONNECTED) 11] rmr >>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root >>>> > > >>>> > > Authentication is not valid : >>>> > > /accumulo/31d38c2a-3a26-49b3-a786-42d7e1e5d2b0/users/root >>>> > > >>>> > > >>>> > > so I was thinking of using skipACL=YES that I saw in the zookeeper >>>> > > documentation. Any idea if this can be used with zkCli.sh? >>>> > > >>>> > > >>>> > > Ranjan >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > -- >>>> > > https://github.com/mindscratch >>>> > > https://www.google.com/+CraigWickesser >>>> > > https://twitter.com/mind_scratch >>>> > > https://twitter.com/craig_links >>>> >>> >>> >> >> >> -- >> >> *Michael Allen* >> Software Architect | Sqrrl-----------------------------------130 Prospect >> Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com >> ----------------------------------- >> >> The information contained in this communication may be confidential, subject >> to legal privilege, or otherwise protected from disclosure, and is intended >> solely for the use of the intended recipient(s). If you are not the intended >> recipient of this communication, please destroy all copies in your >> possession, notify the sender that you have received this communication in >> error, and note that any review or dissemination of, or the taking of any >> action in reliance on, this communication is expressly prohibited. Please >> note that sqrrl data, INC. reserves the right to intercept, monitor, and >> retain e-mail messages to and from its systems as permitted by applicable >> law. >> >> > > > -- > > *Michael Allen* > Software Architect | Sqrrl-----------------------------------130 Prospect > Street | Cambridge, MA 02139415.699.0106 | www.sqrrl.com > ----------------------------------- > > The information contained in this communication may be confidential, subject > to legal privilege, or otherwise protected from disclosure, and is intended > solely for the use of the intended recipient(s). If you are not the intended > recipient of this communication, please destroy all copies in your > possession, notify the sender that you have received this communication in > error, and note that any review or dissemination of, or the taking of any > action in reliance on, this communication is expressly prohibited. Please > note that sqrrl data, INC. reserves the right to intercept, monitor, and > retain e-mail messages to and from its systems as permitted by applicable law. > >