Hello Rinilnath, I think the reason for "insufficient permission" (on ZooKeeper 3.6.3) is not that the ACL isn't persistent across restarts. Instead, I think it's because in your second session (second invocation of zkCli), you are not authenticating before calling getAcl. Since you are no longer authenticated as the "zookeeper" user, the server is correctly enforcing the ACL that was created during the first session.
If you repeat the addauth at the start of your second session/second zkCli, then I expect it will work, and you'll be able to see the ACL that was created in the first session. Example: [zk: localhost:2181(CONNECTED) 0] getAcl /zookeeper Insufficient permission : /zookeeper [zk: localhost:2181(CONNECTED) 1] addauth digest zookeeper:password [zk: localhost:2181(CONNECTED) 2] getAcl /zookeeper 'digest,'zookeeper:aoWyXhEACEkPu6F+p7w0LmvXvPU= : cdrwa Note that there was no need to repeat the setAcl command, even if the server was restarted in between. I hope this helps. Chris Nauroth On Thu, Jan 6, 2022 at 11:09 AM Enrico Olivelli <[email protected]> wrote: > Il Gio 6 Gen 2022, 19:33 rinilnath r <[email protected]> ha scritto: > > > Hi, > > > > Thanks for your reply! Really great to see a hand for help 😊 > > > > Default means my default node , zookeeper is its name. > > > > Basically, I did these > > > > 1. addauth digest zookeeper: adminpass > > 2. setAcl /zookeeper auth: zookeeper: adminpass:cdrwa > > > > Now getAcl /zookeeper, shows correctly the users added. > > > > Problem is when I restart zkserver, again I connect zkcli and all are > gone. > > > > getAcl /zookeeper... Will say invalid ACL 3.5.3 or insufficient > permission > > in 3.6.3 > > > > No clue how to make a persistent set of ACL. > > My security compliance is blocked because of this. > > > > Most of the times it is the Java application that sets the acls while > creating the znode. > I can't check your commands now (because I am out) > > I hope that someone can give more feedback, otherwise I will try to help > next week > > > Enrico > > > > > > > > > Thanks and Regards, > > Rinilnath > > Mobile#9786285451 > > > > On Thu, 6 Jan, 2022, 22:40 Enrico Olivelli, <[email protected]> wrote: > > > > > Il Gio 6 Gen 2022, 14:45 rinilnath r <[email protected]> ha scritto: > > > > > > > Is this group still valid? > > > > > > > > > > Yes > > > This list is still valid. > > > > > > Probably there are many people still on vacation (like me :) ) > > > > > > Can you please share more information? > > > > > > What is it a 'available zookeeper default node'? > > > > > > How are you setting acls? > > > > > > > > > > > > Enrico > > > > > > > > > I am getting ipage reply for my mail > > > > > > > > Thanks and Regards, > > > > Rinilnath > > > > Mobile#9786285451 > > > > > > > > On Thu, 6 Jan, 2022, 17:58 rinilnath r, <[email protected]> wrote: > > > > > > > > > > > > > > Hi, > > > > > > > > > > I need to enable ACL in all nodes, as per security compliance. > > > > > > > > > > These are the things I tried > > > > > > > > > > 1. addauth digest with specific user > > > > > 2. SetAcl on available default zookeeper node > > > > > > > > > > But after service restart. The getAcl is saying insufficient > > permission > > > > > > > > > > Zookeeper: 3.6.3 > > > > > > > > > > Please help me to do this properly. > > > > > > > > > > Thanks and Regards, > > > > > Rinilnath > > > > > Mobile#9786285451 > > > > > > > > > > > > > > >
