It need to restart the zk server to enable the super user, right? If so, it
won't help. Because the zk cluster is serving online. We can't stop and
restart the service.
Here are the things I did according to the document, but it didn't work.
My zk cluster contains 4 machines. I select one of them and change the
zookeeper/bin/zkCli.sh on it. A new line is added like the following code:
$JAVA "-Dzookeeper.log.dir=${ZOO_LOG_DIR}"
"-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
"-Dzookeeper.DigestAuthenticationProvider.superDigest='super:VQ6+KW+63miPakJ
Fh8f+1Gwv62s='" \ // this line is new added
-cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS \
org.apache.zookeeper.ZooKeeperMain $@
super:VQ6+KW+63miPakJFh8f+1Gwv62s= is the digest data.
Then I run ./zkCli.sh to connect to the server, and
addauth digest super:<password>
But I still can't change the ACL of /Apple/Boy znode because of ACL
So, I guess I need to restart all the 4 zk servers to make the
zookeeper.DigestAuthenticationProvider.superDigest property taken into
effect.
Am I right?
Liwei
-----邮件原件-----
发件人: John Sirois [mailto:[email protected]]
发送时间: 2012年6月29日 18:40
收件人: [email protected]
抄送: [email protected]; [email protected]
主题: Re: Can't remove a znode because of ACL issue.
Sent from my iPhone
On Jun 29, 2012, at 3:34 AM, sun liwei <[email protected]> wrote:
> I have the following znodes in zk:
>
> /Apple/Boy/Cat
>
> And the ACL of these three znodes are:
>
> / world:anyone:cdrwa
> /App world:anyone:cdrwa
> /Apple/Boy world:anyone:cdrwa
> /Apple/Boy/Cat world:anyone:cdrwa
>
> Then I change the ACL of /Apple/Boy znode from cdrwa to r (this is a
> mistake):
>
> / world:anyone:cdrwa
> /App world:anyone:cdrwa
> /Apple/Boy world:anyone:r
> /Apple/Boy/Cat world:anyone:cdrwa
>
> Now, I have a problem to delete the /Apple/Boy znode. Before
> /Apple/Boy is deleted, I should delete /Apple/Boy/Cat, but
> /Apple/Boy/Cat can't be deleted according to the ACL of /Apple/Boy which
is 'r' (readonly).
>
> So, is there any way to delete the znode /Apple/Boy or recovery the
> its ACL to 'cdrwa'?
You can fabricate super user credentials and then enable the super user in
your cluster's configs. After rolling the cluster you can authenticate as
super and then do as you will with any node. See
http://zookeeper.apache.org/doc/r3.2.2/zookeeperAdmin.html#sc_authOptions
>
> Thanks in advance.
> Liwei
