ZooKeeper ACL – Access Control in Zookeeper Using ACLs

Boost your career with Free Big Data Courses!!

In our last Zookeeper tutorial, we discussed ZooKeeper Sessions. Today, we will see ZooKeeper ACL. Though, there is much more to learn about ACL in ZooKeeper. So, in this Zookeeper article, we will discuss the concept of ZooKeeper access control using ACLs.

Also, we will see Built-in ACL Schemes along with a sample code to understand well. Basically, to control access to its ZNodes, ZooKeeper uses ACLs. Along with this, we will also see ZooKeeper Authentication.

So, let’s start ZooKeeper ACL.

What is Zookeeper ACL?

In order to control access to its ZNodes, ZooKeeper uses ACLs. However, the ZooKeeper ACL implementation is very much same as UNIX file access permissions. So, to allow/disallow various operations against a node and the scope to which the bits apply, that employs permission bits. 

Moreover, ZooKeeper offers pluggable authentication schemes. And, by using the form scheme:id, all Ids are specified, especially where the scheme is a ZooKeeper authentication scheme that the id corresponds to.

In addition, ZooKeeper associates all the ids that correspond to a client with the client’s connection, while a client connects to ZooKeeper and authenticates itself. Further, when a ZooKeeper client tries to access a node, these ids are checked against the ACLs of ZNodes.

However, ZooKeeper ACL are made up of pairs (scheme: expression, perms). Make sure that the format of the expression is specific to the scheme. 

a. ACL Permissions

There are various ZooKeeper ACL Permissions:

  • CREATE: It helps to create a child node.
  • READ: This helps to get data from a node and also list its children.
  • WRITE: By using it we can set data for a node.
  • DELETE: It can delete a child node.
  • ADMIN: This can set permissions.

b. Built-in ACL Schemes

There are various built-in schemes in Zookeeper:

  • Basically, the world has a single id, anyone, which represents anyone.
  • Moreover, auth doesn’t use any id. So, represents any authenticated user.
  • Also, digest uses a username. Moreover, by sending the username: password in clear text, ZooKeeper authentication occurs. And, the expression for it will be the username:base64 encoded SHA1 password digest, while used in the ACL.
  • As a ZooKeeper ACL ID identity, IP uses the client host IP.

c. ZooKeeper C client API

ZooKeeper C library offers below constants:

  • const int ZOO_PERM_READ; //can read node’s value and list its children
  • const int ZOO_PERM_WRITE;// can set the node’s value
  • const int ZOO_PERM_CREATE; //can create children
  • const int ZOO_PERM_DELETE;// can delete children
  • const int ZOO_PERM_ADMIN; //can execute set_acl()
  • const int ZOO_PERM_ALL;// all of the above flags OR’d together

Here are some standard ACL IDs:

  • struct Id ZOO_ANYONE_ID_UNSAFE; //(‘world’,’anyone’)
  • struct Id ZOO_AUTH_IDS;// (‘auth’,’’)

ZOO_AUTH_IDS empty identity string must be considered as “the identity of the creator”.
Moreover, with three standard ACL in ZooKeeper, ZooKeeper client comes:

  • struct ACL_vector ZOO_OPEN_ACL_UNSAFE;

//(ZOO_PERM_ALL,ZOO_ANYONE_ID_UNSAFE)

  • struct ACL_vector ZOO_READ_ACL_UNSAFE;// (ZOO_PERM_READ, ZOO_ANYONE_ID_UNSAFE)
  • struct ACL_vector ZOO_CREATOR_ALL_ACL; //(ZOO_PERM_ALL,ZOO_AUTH_IDS)

In addition,  for all ACL ZOO_OPEN_ACL_UNSAFE is completely open free. That means any application can easily execute any operation on the node. Also, can create, list as well as delete its children. Though, for any application, the ZOO_READ_ACL_UNSAFE is read-only access.

And, CREATE_ALL_ACL give all allowances to the node’s creator. Ensure that before creator can create nodes with this ACL, the creator must have been authenticated by the server.

Here are various ZooKeeper operations which deal with ACLs:

  • int zoo_add_auth (zhandle_t *zh,const char* scheme,const char* cert, int certLen, void_completion_t completion, const void *data);

Basically, to authenticate itself to the server, the application uses the zoo_add_auth function. However, we can call this function many times if the application asks to authenticate by using different schemes and/or identities.

  • int zoo_create (zhandle_t *zh, const char *path, const char *value,int valuelen, const struct ACL_vector *acl, int flags,char *realpath, int max_realpath_len);

Well, zoo_create(…) operation, creates a new node. The acl parameter is a list of ACLs associated with the node. Also, make sure if the parent node must have the CREATE permission bit set or not.

  • int zoo_get_acl (zhandle_t *zh, const char *path,struct ACL_vector *acl, struct Stat *stat);

It gets ACL info of node.

d. Sample code

Now below you can see a sample code with “foo” scheme which also creates an ephemeral node “/xyz” with create-only permissions, to make use of the above APIs in order to authenticate itself.

However, it is very important to note that it is a simple example which specifically shows to interact with ZooKeeper ACLs.

#include <string.h>
#include <errno.h>
#include "zookeeper.h"
static zhandle_t *zh;
/**
* In this example this method gets the cert for your
*   environment -- you must provide
*/
char *foo_get_cert_once(char* id) { return 0; }
/** Watcher function -- empty for this example, not something you should
* do in real code */
void watcher(zhandle_t *zzh, int type, int state, const char *path,
            void *watcherCtx) {}
int main(int argc, char argv) {
 char buffer[512];
 char p[2048];
 char *cert=0;
 char appId[64];
 strcpy(appId, "example.foo_test");
 cert = foo_get_cert_once(appId);
 if(cert!=0) {
   fprintf(stderr,
           "Certificate for appid [%s] is [%s]\n",appId,cert);
   strncpy(p,cert, sizeof(p)-1);
   free(cert);
 } else {
   fprintf(stderr, "Certificate for appid [%s] not found\n",appId);
   strcpy(p, "dummy");
 }
 zoo_set_debug_level(ZOO_LOG_LEVEL_DEBUG);
 zh = zookeeper_init("localhost:3181", watcher, 10000, 0, 0, 0);
 if (!zh) {
   return errno;
 }
 if(zoo_add_auth(zh,"foo",p,strlen(p),0,0)!=ZOK)
   return 2;
 struct ACL CREATE_ONLY_ACL[] = {{ZOO_PERM_CREATE, ZOO_AUTH_IDS}};
 struct ACL_vector CREATE_ONLY = {1, CREATE_ONLY_ACL};
 int rc = zoo_create(zh,"/xyz","value", 5, &CREATE_ONLY, ZOO_EPHEMERAL,
                     buffer, sizeof(buffer)-1);
 /** this operation will fail with a ZNOAUTH error */
 int buflen= sizeof(buffer);
 struct Stat stat;
 rc = zoo_get(zh, "/xyz", 0, buffer, &buflen, &stat);
 if (rc) {
   fprintf(stderr, "Error %d for %s\n", rc, __LINE__);
 }
 zookeeper_close(zh);
 return 0;

So, this was all in ZooKeeper ACL. Hope you like our explanation of ZooKeeper Access Control using ACL’s.

Conclusion: ZooKeeper Access Control

Hence, in this ZooKeeper ACL tutorial, we have seen the whole concept of ZooKeeper access control using ACLs. Moreover, we discussed Built-in ACL SChemes along with a sample code.

Also, we saw permissions in ZooKeeper ACL. At last, we learned about ZooKeeper authentication. Still, if any doubt regarding Access Control in ZooKeeper ask in the comment tab.

If you are Happy with DataFlair, do not forget to make us happy with your positive feedback on Google

courses

DataFlair Team

DataFlair Team specializes in creating clear, actionable content on programming, Java, Python, C++, DSA, AI, ML, data Science, Android, Flutter, MERN, Web Development, and technology. Backed by industry expertise, we make learning easy and career-oriented for beginners and pros alike.

4 Responses

  1. rinilnath says:

    But this never explains, how to enable ACL in already running zookeeper system.
    can you please explain that to me in email. We are in need of this for a security vulnearability

  2. Kiran says:

    Any updates? Did they responded??

  3. AK says:

    This is pure copy of the official documentation. Instead of writing this article, you could have just mentioned to read the official doc instead!

Leave a Reply

Your email address will not be published. Required fields are marked *