在QA环境ZooKeeper集群设置节点ACL时发生误操作(
setAcl /dcc ip:10.203.25.0:rwcda),导致没有办法访问 /dcc 节点。还好,ZooKeeper可以通过配置的方式设置超级用户,超级用户无视任何ACL,总算有的补救。
官方文档中可以找到使用方法:
Authentication & Authorization Options
The options in this section allow control over authentication/authorization performed by the service.
- zookeeper.DigestAuthenticationProvider.superDigest
-
(Java system property only: zookeeper.DigestAuthenticationProvider.superDigest)
By default this feature is disabled
New in 3.2: Enables a ZooKeeper ensemble administrator to access the znode hierarchy as a "super" user. In particular no ACL checking occurs for a user authenticated as super.
org.apache.zookeeper.server.auth.DigestAuthenticationProvider can be used to generate the superDigest, call it with one parameter of "super:<password>". Provide the generated "super:<data>" as the system property value when starting each server of the ensemble.
When authenticating to a ZooKeeper server (from a ZooKeeper client) pass a scheme of "digest" and authdata of "super:<password>". Note that digest auth passes the authdata in plaintext to the server, it would be prudent to use this authentication method only on localhost (not over the network) or over an encrypted connection.
由于只支持Java系统属性的方式,所以修改 bin/zkServer.sh 文件,在 nohup 这行加上该属性:
nohup "$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
"-Dzookeeper.DigestAuthenticationProvider.superDigest=super:xuMpP27D5OPqQ/YWKMzaM8RmnXI=" \
其密码为Pass1234,加密方法同ACL中 digest 模式的加密算法。
重启后,在zkCli客户端中执行
addauth digest super:Pass1234
之后就可以无视ACL愉快的玩耍了。
Internal 