ZooKeeper ACLs Best Practices: Ranger

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Ranger when provisioning a secure cluster.

  • ZooKeeper Usage:
    • Ranger does not use ZooKeeper directly. Only if Audit to Solr is enabled and Solr is configured in SolrCloud mode, Solr nodes will need to access zookeeper node /ranger_audits.

      /ranger_audits

  • Default ACLs:
    • /ranger_audits - world:anyone:cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:
    • Only Solr needs access to this Znode:

      /ranger_audits - sasl:solr:cdrwa

    • After enabling SolrCloud, edit the Ranger collection path permission on Znode:
      1. SSH to the cluster.

        For example, any host where the ZooKeeper server is running.

      2. Start the ZooKeeper CLI by running the following command:
        zookeeper-client -server [***ZOOKEEPER SERVER HOST***]:[***ZOOKEEPER CLIENT PORT***]

        The default port of zookeeper client port is 2181.

      3. After it connects, run: ls /

      4. Verify there is a folder for the Ranger Solr collection.

      5. Run getAcl /ranger_audits and if the permission is for world,anyone: cdrwa, restrict the permission to “sasl:solr:cdrwa” using this command: setAcl /ranger_audits sasl:solr:cdrwa.

      6. Repeat the above step for all clusters where SolrCloud is installed.

      [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 0] ls /
                [zookeeper, rmstore, ranger_audits]
                [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 1] getAcl /ranger_audits
                'world,'anyone
                : cdrwa
                [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 2] setAcl /ranger_audits sasl:solr:cdrwa
                cZxid = 0x200000037
                ctime = Wed Jun 29 10:40:24 UTC 2016
                mZxid = 0x200000037
                mtime = Wed Jun 29 10:40:24 UTC 2016
                pZxid = 0x200000056
                cversion = 7
                dataVersion = 0
                aclVersion = 1
                ephemeralOwner = 0x0
                dataLength = 0
                numChildren = 7
                [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 3] getAcl /ranger_audits           	 
                'sasl,'solr
                : cdrwa
                [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 4]