Managing Apache ZooKeeper SecurityPDF version

ZooKeeper ACLs Best Practices: Atlas

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Atlas when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /apache_atlas - Root zookeeper node which is configured for curator, under which nodes for leader election are created.

    • /apache_atlas/active_server_info - Znode used in HA environments for storing active server information.

    • /apache_atlas/setup_in_progress - Transient Znode used to ensure some setup steps are executed only from one instance. This gets deleted after use and should normally not be seen.

  • Default ACLs:
    • All znodes have world:anyone:cdrwa by default.

  • Security Best Practice ACLs/Permissions and Required Steps:
    • No user intervention is required for creating/using the Znodes. They are all managed internally by Atlas. Atlas exposes two configuration properties that define the auth and ACL - to use while creating these Znodes. Cloudera Manager should configure these correctly for a secure cluster. The recommended configuration isatlas.server.ha.zookeeper.auth=sasl:atlas@<domain.com> andatlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com> , where <domain.com> should be replaced with the right value of the atlas service user principal. (Assuming atlas is the service user name). When set this way, the ACLs for all znodes will beatlas.server.ha.zookeeper.acl=sasl:atlas@<domain.com>:cdrwa. (Note we don’t allow configuration of the permissions from Cloudera Manager).