Apache ZooKeeper ACLs
Also available as:
PDF

ZooKeeper ACLs Best Practices: Ranger

Best practices for tightening the ZooKeeper ACLs/permissions for Ranger when provisioning a secure cluster.

  • ZooKeeper Usage:
    • Ranger does not use ZooKeeper directly. Only if Audit to Solr is enabled and Solr is configured in SolrCloud mode, Solr nodes will need to access zookeeper node /ranger_audits.

      /ranger_audits

  • Default ACLs:
    • /ranger_audits - world:anyone:cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:
    • Only Solr needs access to this Znode:

      /ranger_audits - sasl:solr:cdrwa

    • After enabling SolrCloud, edit the Ranger collection path permission on Znode:
      1. SSH to the cluster where SolrCloud is present.

      2. Go to /usr/hdp/<version>/zookeeper/bin.

      3. Run ./zkCli.sh -server <FQDN SolrCloud host>:2181

      4. After it connects, run: ls /

      5. Verify there is a folder for the Ranger Solr collection.

      6. Execute getAcl /ranger_audits and if the permission is for world,anyone: cdrwa, restrict the permission to “sasl:solr:cdrwa” using this command: setAcl /ranger_audits sasl:solr:cdrwa.

      7. Repeat the above step for all clusters where SolrCloud is installed.

      [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 0] ls /
      [zookeeper, rmstore, ranger_audits]
      [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 1] getAcl /ranger_audits
      'world,'anyone
      : cdrwa
      [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 2] setAcl /ranger_audits sasl:solr:cdrwa
      cZxid = 0x200000037
      ctime = Wed Jun 29 10:40:24 UTC 2016
      mZxid = 0x200000037
      mtime = Wed Jun 29 10:40:24 UTC 2016
      pZxid = 0x200000056
      cversion = 7
      dataVersion = 0
      aclVersion = 1
      ephemeralOwner = 0x0
      dataLength = 0
      numChildren = 7
      [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 3] getAcl /ranger_audits           	 
      'sasl,'solr
      : cdrwa
      [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 4]