ZooKeeper ACLs Best Practices: Atlas

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Atlas when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /apache_atlas - Root zookeeper node which is configured for curator, under which nodes for leader election are created.

    • /apache_atlas/active_server_info - Znode used in HA environments for storing active server information.

    • /apache_atlas/setup_in_progress - Transient Znode used to ensure some setup steps are executed only from one instance. This gets deleted after use and should normally not be seen.

    • /leader_elector_path and /setup_lock - Transient Znodes.

    • /apache_atlas is the root node which is configuration driven. The default value is /apache_atlas but can be overwritten by setting the value for this property atlas.server.ha.zookeeper.zkroot

  • Default ACLs:
    • All znodes have world:anyone:cdrwa by default.

  • Security Best Practice ACLs/Permissions and Required Steps:
    • No user intervention is required for creating/using the Znodes. They are all managed internally by Atlas. Atlas exposes two configuration properties that define the auth and ACL - to use while creating these Znodes.

      Cloudera Manager should configure these correctly for a secure cluster. The recommended configuration is atlas.server.ha.zookeeper.auth=sasl:atlas@<domain.com> andatlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com>, where <domain.com> should be replaced with the right value of the Atlas service user principal. (Assuming atlas is the service user name). When set this way, the ACLs for all Znodes will be atlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com>:cdrwa.

      .