Unlocking access to Kafka metadata in Zookeeper

Learn how to unlock access to Kafka metadata in Zookeeper

Cloudera does not recommend that you leave access to Kafka znodes (metadata) in Zookeeper unlocked. Only unlock access if you are planning to make configuration changes in Kafka that require znode access to be unlocked. Once configuration changes are complete, Cloudera recommends that you re-restrict access.

A secure Kafka cluster with Kerberos authentication enabled is required.

  1. Disable the use of secure ACLs:
    This can be achieved by setting the zookeeper.set.acl configuration parameter to false.
    1. In Cloudera Manager select the Kafka service.
    2. Select Configuration.
    3. Find the Enable Zookeeper ACL property.
    4. Set the property to false by unchecking the checkbox next to the name of the role group.
  2. Perform a Rolling Restart:
    1. Return to the Home page by clicking the Cloudera Manager logo.
    2. Go to the Kafka service and select Actions Rolling Restart.
    3. Check the Restart roles with stale configurations only checkbox and click Rolling restart.
    4. Click Close when the restart has finished.
  3. Run the zookeeper-security-migration tool with the zookeeper.acl option set to unsecure
    zookeeper-security-migration --zookeeper.connect [HOSTNAME]:[PORT]/[ZOOKEEPER_KAFKA_CHROOT] --zookeeper.acl unsecure

    Replace [ZOOKEEPER_KAFKA_CHROOT] with the value of the zookeeper.chroot property. To view the value of the property, in Cloudera Manager go to Kafka > Configuration and search for zookeeper.chroot.

The tool traverses the corresponding sub-trees changing the ACLs of the znodes. Access to Kafka metadata stored in Zookeeper becomes unrestricted.