Addition to my previous mail. >From the zookeeper doc, I understand that you don't need to provide id for auth scheme but if you just do "setAcl /znode auth:crdwa" with zkCli then it complains that auth:crdwa does not have the form scheme:id:perm so I have been using the two approaches where I leave the id part for auth either empty "setAcl /mesos auth::cdrwa" or provide the id "setAcl /mesos auth:zk:cdrwa" so I am not sure which one correctly translates to ZOO_AUTH_IDS.
Thanks Megha >From the doc On Wed, Feb 8, 2017 at 1:35 PM, Megha Sharma <[email protected]> wrote: > Thanks Jordan, > that was very helpful indeed! > So, setAcl is the only thing that matters in terms of setting acls for > zookeeper. > > My next question is very zkCli specific. > > One of the softwares I am running sets acls ZOO_AUTH_IDS + > ZOO_READ_ACL_UNSAFE programmatically while creating the new znode and I > have to mimic the auth it sets using zkCli. > > That means I have to translate ZOO_AUTH_IDS ((‘auth’,’’), ZOO_AUTH_IDS > empty identity string should be interpreted as “the identity of the > creator”.) to scheme:id:perm for zkCli. I tried two different setAcls > > 1) setAcl /mesos auth:zk:cdrwa (where zk is my id and in auth scheme you > don't need pwd) > > 2) setAcl /mesos auth::cdrwa > > Only the second one gives me ‘auth’,’’ (empty string). Is this how you set > ZOO_AUTH_IDS with zkCli? > > Thanks > Megha > > > > > > > > > On Wed, Feb 8, 2017 at 12:03 PM, Jordan Zimmerman < > [email protected]> wrote: > >> AddAuth sets the authorization value for the current connection. It's the >> client-side portion of the ACL spec. What you want is "setAcl". >> >> setAcl [-s] [-v version] path acl >> >> -Jordan >> >> > On Feb 8, 2017, at 1:52 PM, Megha Sharma <[email protected]> >> wrote: >> > >> > Thanks Jordan >> > That was my understanding as well, wanted to make sure that setting acls >> > doesn't need zkServer restart. The way I am setting the acls could be >> > faulty then, I am trying to set the acl ZOO_AUTH_IDS and >> > ZOO_READ_ACL_UNSAFE using zkCli. According to zookeeper doc, >> ZOO_AUTH_IDS >> > translates to (‘auth’,’’) and empty identity string should be >> interpreted >> > as “the identity of the creator”. I have tried both empty identity >> string >> > (2) and with credentials (1) with zkCli and I am not sure which is the >> > correct way of achieving ZOO_AUTH_IDS. >> > >> > >> > 1) addauth digest user:pwd >> > setAcl /mesos world:anyone:r,auth::crdwa >> > >> > 2) addauth digest user:pwd >> > setAcl /mesos world:anyone:r,auth:user:pwd:cdrwa >> > >> > Thanks >> > Megha >> > >> > >> > On Wed, Feb 8, 2017 at 7:27 AM, Jordan Zimmerman < >> [email protected] >> >> wrote: >> > >> >>> I have been trying to set acls with zkCli and it seems like the acls >> >> don’t >> >>> take effect until all the zkServers are restarted. Do the acls need >> >>> zkServer restart? >> >> >> >> No. ACL changes take effect immediately. It's a ZNode modification like >> >> any other. Do you have an example of the problem? >> >> >> >> -Jordan >> >> >
