Apache ZooKeeper ACLs
Also available as:
PDF

ZooKeeper ACLs Best Practices: Accumulo

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Accumulo when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /accumulo - Parent ZNode for all of Accumulo use in ZooKeeper

    • /accumulo/$UUID - Parent ZNode for a specific Accumulo instance

    • /accumulo/instances - Contains mappings of human-readable Accumulo names to the UUID

    • /accumulo/$UUID/users - Accumulo user database

    • /accumulo/$UUID/problems - Persisted advertisement of reported problems in Accumulo

    • /accumulo/$UUID/root_tables - The “root” Accumulo table (points to the Accumulo metadata table)

    • /accumulo/$UUID/hdfs_reservations - ZNode to coordinate unique directories in HFDS for bulk imports of Accumulo files to a table

    • /accumulo/$UUID/gc - Advertisement and leader election for Accumulo GarbageCollector

    • /accumulo/$UUID/table_locks - RW-locks per Accumulo table

    • /accumulo/$UUID/fate - Parent znode for Accumulo’s FATE (distributed, multi-step transactions)

    • /accumulo/$UUID/tservers - Advertisement and ephemeral znodes(keep-alive) for TabletServers

    • /accumulo/$UUID/tables - The “database” of Accumulo tables (metadata)

    • /accumulo/$UUID/namespaces - The “database” of Accumulo namespaces (metadata)

    • /accumulo/$UUID/next_file - Coordinates unique name generation for files in HDFS

    • /accumulo/$UUID/config - Dynamic configuration for Accumulo

    • /accumulo/$UUID/masters - Advertisement and leader election for the Accumulo Master

    • /accumulo/$UUID/monitor - Advertisement and leader election for the Accumulo Monitor

    • /accumulo/$UUID/bulk_failed_copyq - Tracking files to bulk import which failed

    • /accumulo/$UUID/recovery - Used to coordinate recovery of write-ahead logs

  • Default ACLs:
    • All znodes not specified otherwise are world-readable and cdrwa ‘accumulo’. Those below are not world-readable:

      /accumulo/$UUID/users/*

  • Security Best Practice ACLs/Permissions and Required Steps:
    • The user does not need to alter any ACLs in ZooKeeper. Accumulo protects all ZNodes automatically.