ZooKeeper ACLs Best Practices: Ranger
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Ranger when provisioning a secure cluster.
-
ZooKeeper Usage:
-
Ranger does not use ZooKeeper directly. Only if Audit to Solr is enabled and Solr is configured in SolrCloud mode, Solr nodes will need to access zookeeper node
/ranger_audits./ranger_audits
-
-
Default ACLs:
-
/ranger_audits-world:anyone:cdrwa
-
-
Security Best Practice ACLs/Permissions and Required Steps:
-
Only Solr needs access to this Znode:
/ranger_audits-sasl:solr:cdrwa -
After enabling SolrCloud, edit the Ranger collection path permission on Znode:
-
SSH to the cluster where SolrCloud is present.
-
Go to
/usr/hdp/<version>/zookeeper/bin. -
Run
./zkCli.sh -server <FQDN SolrCloud host>:2181 -
After it connects, run:
ls / -
Verify there is a folder for the Ranger Solr collection.
-
Execute
getAcl /ranger_auditsand if the permission is forworld,anyone: cdrwa, restrict the permission to“sasl:solr:cdrwa”using this command:setAcl /ranger_audits sasl:solr:cdrwa. -
Repeat the above step for all clusters where SolrCloud is installed.
[zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 0] ls / [zookeeper, rmstore, ranger_audits] [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 1] getAcl /ranger_audits 'world,'anyone : cdrwa [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 2] setAcl /ranger_audits sasl:solr:cdrwa cZxid = 0x200000037 ctime = Wed Jun 29 10:40:24 UTC 2016 mZxid = 0x200000037 mtime = Wed Jun 29 10:40:24 UTC 2016 pZxid = 0x200000056 cversion = 7 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 0 numChildren = 7 [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 3] getAcl /ranger_audits 'sasl,'solr : cdrwa [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 4] -
-