ZooKeeper ACLs Best Practices: ZooKeeper

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for ZooKeeper when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /zookeeper - Node stores metadata of ZooKeeper itself.

    • /zookeeper/quota - Stores quota information.

    • /zookeeper/config - Stores the current configuration, if the dynamic reconfiguration feature is enabled.

  • Default ACLs:
    • /zookeeper - world:anyone:cdrwa

    • /zookeeper/quota - world:anyone:cdrwa

    • /zookeeper/config - world:anyone:r

  • Security Best Practice ACLs/Permissions and Required Steps:

    The following steps must be manually performed by users who are using the ZooKeeper quota or dynamic reconfig feature. Components in CDP do not use these features, so these ZNodes are acutally empty by default -- most users do not need to execute the following commands:
    • setAcl /zookeeper sasl:zookeeper:rwcda

    • setAcl /zookeeper/quota sasl:zookeeper:cdrwa,world:anyone:r