Hello Patrick, Thanks for reply! That feature would be appreciated, but it's not what I had in mind, it would not be sufficient.
I need a way to change credentials without ZK client or cluster downtime, ideally with no ACL changes. Option of configuring two valid passwords for same user would help - then I could along with old password configure new one, roll ZK cluster with new settings, and then gradually roll out new credentials to all different clients, later remove old expired password. In one ZK client app, both zkclient and curator client libraries are being used to access two different ZK subtrees. I managed to configure each client to set ACLs appropriate for each subtree, but I couldn't find way yet to configure each client with different user, with sasl scheme. So had to fallback to single user. Still ACLs are different in the two subtrees. One subtree allows world to read, and creator all permissions. Other subtree just allows creator all permissions. It would help with credentials expiration if I could instead of (creator, all permissions) ACLs, set (any authenticated user, all permissions) ACL, while still keeping ACL for first subtree that world can read it. If it was possible, I'd expire not only password but replace it with new user, and no changes to ACLs would be needed. Thinking again, even if it was possible to set such ACL (any authenticated user, all permissions) in ZK nodes, it wouldn't help me now, since I cannot configure it to all clients managing nodes in subtree, some have ACLs that they set hardcoded, would have to fork large OSS project which is not really an option, and making ACL configurable in that OSS project would take some time. Kind regards, Stevo Slavic. On Thu, Feb 2, 2017 at 4:39 PM, Patrick Hunt <ph...@apache.org> wrote: Hi Stevo, you might be talking about one of the following variants? (see the jiras linked to from this jira) https://issues.apache.org/jira/browse/ZOOKEEPER-1634 Patrick On Thu, Feb 2, 2017 at 4:38 AM, Stevo Slavić <ssla...@gmail.com> wrote: > Alternatively, is it possible to set ACL that would grant given permissions > to any successfully authenticated user? > > On Wed, Feb 1, 2017 at 1:16 PM, Stevo Slavić <ssla...@gmail.com> wrote: > > > Hello Apache ZooKeeper community, > > > > Is it valid in JAAS config file to associate more than one password per > > user, and if so, will ZooKeeper server authenticate user correctly if > > provided password matches any of the configured ones? > > > > Kind regards, > > Stevo Slavic. > > >
