Apache ZooKeeper ACLs
Also available as:
PDF

ZooKeeper ACLs Best Practices: Atlas

Best practices for tightening the ZooKeeper ACLs/permissions for Atlas when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /apache_atlas - Root zookeeper node which is configured for curator, under which nodes for leader election are created.

    • /apache_atlas/active_server_info - Znode used in HA environments for storing active server information.

    • /apache_atlas/setup_in_progress - Transient Znode used to ensure some setup steps are executed only from one instance. This gets deleted after use and should normally not be seen.

  • Default ACLs:
    • All znodes have world:anyone:cdrwa by default.

  • Security Best Practice ACLs/Permissions and Required Steps:
    • No user intervention is required for creating/using the Znodes. They are all managed internally by Atlas. Atlas exposes two configuration properties that define the auth and ACL - to use while creating these Znodes. Ambari should configure these correctly for a secure cluster. The recommended configuration is atlas.server.ha.zookeeper.auth=sasl:atlas@<domain.com> and atlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com> , where <domain.com> should be replaced with the right value of the atlas service user principal. (Assuming atlas is the service user name). When set this way, the ACLs for all znodes will be atlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com>:cdrwa. (Note we don’t allow configuration of the permissions from Ambari).