Sunday, September 13, 2015

ACL (Access Control List) is one of the functionalities that is not widely used among Apache zookeeper users. But zookeeper provides a powerful API which makes it really easier for the users to add security to clustering environments. Zookeeper ACL is a similar idea to Linux File Systems Access Control Lists. After starting the zookeeper server by running zkCli commands it is possible to view and setup ACLs for data directories.

To view data in a directory:
        get <path-to-directory>
To view ACL of the directory:
        getAcl <path-to-directory>
To authenticate a user:
        addauth <scheme> <username>:<password>
Following are the built in schemes of Apache Zookeeper: {quoting from Apache Zookeeper Docs.}

* world: has a single id, anyone, that represents anyone.
* auth: doesn't use any id, represents any authenticated user.
* digest: uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text. When used in the ACL the expression will be the username:base64 encoded SHA1 password digest.
* host: uses the client host name as an ACL ID identity. The ACL expression is a hostname suffix. For example, the ACL expression host:corp.com matches the ids host:host1.corp.com and host:host2.corp.com, but not host:host1.store.com.
* ip: uses the client host IP as an ACL ID identity. The ACL expression is of the form addr/bits where the most significant bits of addr are matched against the most significant bits of the client host IP.

To set an ACL:
        setAcl <path-to-directory> <scheme>:<username>:<password>:<permission>
Following are the declared permissions of Apache Zookeeper: {quoting from Apache Zookeeper Docs.}

* CREATE: you can create a child node
* READ: you can get data from a node and list its children.
* WRITE: you can set data for a node
* DELETE: you can delete a child node
* ADMIN: you can set permissions

Ex: scheme - digest; path to directory - /zookeeper/temp; username - user; password - pwd;
addauth digest user:pass
setAcl /zookeeper/temp auth:user:pwd:crw

You can also use the Java API provided by Apache ZooKeeper to implement this ACL within your code. I'll write a blog post soon to guide you on how to do that.