ZooKeeper ACLs Best Practices: Ranger
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Ranger when provisioning a secure cluster.
-
ZooKeeper Usage:
-
Ranger does not use ZooKeeper directly. Only if Audit to Solr is enabled and Solr is configured in SolrCloud mode, Solr nodes will need to access zookeeper node
/ranger_audits
./ranger_audits
-
-
Default ACLs:
-
/ranger_audits
-world:anyone:cdrwa
-
-
Security Best Practice ACLs/Permissions and Required Steps:
-
Only Solr needs access to this Znode:
/ranger_audits
-sasl:solr:cdrwa
-
After enabling SolrCloud, edit the Ranger collection path permission on Znode:
-
SSH to the cluster.
For example, any host where the ZooKeeper server is running.
-
Start the ZooKeeper CLI by running the following command:
zookeeper-client -server [***ZOOKEEPER SERVER HOST***]:[***ZOOKEEPER CLIENT PORT***]
The default port of zookeeper client port is 2181.
-
After it connects, run:
ls /
-
Verify there is a folder for the Ranger Solr collection.
-
Execute
getAcl /ranger_audits
and if the permission is forworld
,anyone: cdrwa
, restrict the permission to“sasl:solr:cdrwa”
using this command:setAcl /ranger_audits sasl:solr:cdrwa
. -
Repeat the above step for all clusters where SolrCloud is installed.
[zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 0] ls / [zookeeper, rmstore, ranger_audits] [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 1] getAcl /ranger_audits 'world,'anyone : cdrwa [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 2] setAcl /ranger_audits sasl:solr:cdrwa cZxid = 0x200000037 ctime = Wed Jun 29 10:40:24 UTC 2016 mZxid = 0x200000037 mtime = Wed Jun 29 10:40:24 UTC 2016 pZxid = 0x200000056 cversion = 7 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 0 numChildren = 7 [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 3] getAcl /ranger_audits 'sasl,'solr : cdrwa [zk: as-ha-27-3.openstacklocal:2181(CONNECTED) 4]
-
-