ZooKeeper ACLs Best Practices: Atlas
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Atlas when provisioning a secure cluster.
- ZooKeeper Usage:
/apache_atlas- Root zookeeper node which is configured for curator, under which nodes for leader election are created.
/apache_atlas/active_server_info- Znode used in HA environments for storing active server information.
/apache_atlas/setup_in_progress- Transient Znode used to ensure some setup steps are executed only from one instance. This gets deleted after use and should normally not be seen.
/setup_lock- Transient Znodes.
/apache_atlasis the root node which is configuration driven. The default value is
/apache_atlasbut can be overwritten by setting the value for this property
- Default ACLs:
All znodes have world:anyone:cdrwa by default.
- Security Best Practice ACLs/Permissions and Required Steps:
No user intervention is required for creating/using the Znodes. They are all managed internally by Atlas. Atlas exposes two configuration properties that define the auth and ACL - to use while creating these Znodes.
Cloudera Manager should configure these correctly for a secure cluster. The recommended configuration is
atlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com>, where <domain.com> should be replaced with the right value of the Atlas service user principal. (Assuming atlas is the service user name). When set this way, the ACLs for all Znodes will be