Thanks Jordan, that was very helpful indeed! So, setAcl is the only thing that matters in terms of setting acls for zookeeper.
My next question is very zkCli specific. One of the softwares I am running sets acls ZOO_AUTH_IDS + ZOO_READ_ACL_UNSAFE programmatically while creating the new znode and I have to mimic the auth it sets using zkCli. That means I have to translate ZOO_AUTH_IDS ((‘auth’,’’), ZOO_AUTH_IDS empty identity string should be interpreted as “the identity of the creator”.) to scheme:id:perm for zkCli. I tried two different setAcls 1) setAcl /mesos auth:zk:cdrwa (where zk is my id and in auth scheme you don't need pwd) 2) setAcl /mesos auth::cdrwa Only the second one gives me ‘auth’,’’ (empty string). Is this how you set ZOO_AUTH_IDS with zkCli? Thanks Megha On Wed, Feb 8, 2017 at 12:03 PM, Jordan Zimmerman < [email protected]> wrote: > AddAuth sets the authorization value for the current connection. It's the > client-side portion of the ACL spec. What you want is "setAcl". > > setAcl [-s] [-v version] path acl > > -Jordan > > > On Feb 8, 2017, at 1:52 PM, Megha Sharma <[email protected]> > wrote: > > > > Thanks Jordan > > That was my understanding as well, wanted to make sure that setting acls > > doesn't need zkServer restart. The way I am setting the acls could be > > faulty then, I am trying to set the acl ZOO_AUTH_IDS and > > ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc, ZOO_AUTH_IDS > > translates to (‘auth’,’’) and empty identity string should be interpreted > > as “the identity of the creator”. I have tried both empty identity string > > (2) and with credentials (1) with zkCli and I am not sure which is the > > correct way of achieving ZOO_AUTH_IDS. > > > > > > 1) addauth digest user:pwd > > setAcl /mesos world:anyone:r,auth::crdwa > > > > 2) addauth digest user:pwd > > setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa > > > > Thanks > > Megha > > > > > > On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman < > [email protected] > >> wrote: > > > >>> I have been trying to set acls with zkCli and it seems like the acls > >> don’t > >>> take effect until all the zkServers are restarted. Do the acls need > >>> zkServer restart? > >> > >> No. ACL changes take effect immediately. It's a ZNode modification like > >> any other. Do you have an example of the problem? > >> > >> -Jordan > >
