Site icon DataFlair

ZooKeeper ACL – Access Control in Zookeeper Using ACLs

ZooKeeper ACL

ZooKeeper ACL - Access Control in Zookeeper Using ACLs

In our last Zookeeper tutorial, we discussed ZooKeeper Sessions. Today, we will see ZooKeeper ACL. Though, there is much more to learn about ACL in ZooKeeper. So, in this Zookeeper article, we will discuss the concept of ZooKeeper access control using ACLs.

Also, we will see Built-in ACL Schemes along with a sample code to understand well. Basically, to control access to its ZNodes, ZooKeeper uses ACLs. Along with this, we will also see ZooKeeper Authentication.

So, let’s start ZooKeeper ACL.

What is Zookeeper ACL?

In order to control access to its ZNodes, ZooKeeper uses ACLs. However, the ZooKeeper ACL implementation is very much same as UNIX file access permissions. So, to allow/disallow various operations against a node and the scope to which the bits apply, that employs permission bits. 

Moreover, ZooKeeper offers pluggable authentication schemes. And, by using the form scheme:id, all Ids are specified, especially where the scheme is a ZooKeeper authentication scheme that the id corresponds to.

In addition, ZooKeeper associates all the ids that correspond to a client with the client’s connection, while a client connects to ZooKeeper and authenticates itself. Further, when a ZooKeeper client tries to access a node, these ids are checked against the ACLs of ZNodes.

However, ZooKeeper ACL are made up of pairs (scheme: expression, perms). Make sure that the format of the expression is specific to the scheme. 

a. ACL Permissions

There are various ZooKeeper ACL Permissions:

b. Built-in ACL Schemes

There are various built-in schemes in Zookeeper:

c. ZooKeeper C client API

ZooKeeper C library offers below constants:

Here are some standard ACL IDs:

ZOO_AUTH_IDS empty identity string must be considered as “the identity of the creator”.
Moreover, with three standard ACL in ZooKeeper, ZooKeeper client comes:

//(ZOO_PERM_ALL,ZOO_ANYONE_ID_UNSAFE)

In addition,  for all ACL ZOO_OPEN_ACL_UNSAFE is completely open free. That means any application can easily execute any operation on the node. Also, can create, list as well as delete its children. Though, for any application, the ZOO_READ_ACL_UNSAFE is read-only access.

And, CREATE_ALL_ACL give all allowances to the node’s creator. Ensure that before creator can create nodes with this ACL, the creator must have been authenticated by the server.

Here are various ZooKeeper operations which deal with ACLs:

Basically, to authenticate itself to the server, the application uses the zoo_add_auth function. However, we can call this function many times if the application asks to authenticate by using different schemes and/or identities.

Well, zoo_create(…) operation, creates a new node. The acl parameter is a list of ACLs associated with the node. Also, make sure if the parent node must have the CREATE permission bit set or not.

It gets ACL info of node.

d. Sample code

Now below you can see a sample code with “foo” scheme which also creates an ephemeral node “/xyz” with create-only permissions, to make use of the above APIs in order to authenticate itself.

However, it is very important to note that it is a simple example which specifically shows to interact with ZooKeeper ACLs.

#include <string.h>
#include <errno.h>
#include "zookeeper.h"
static zhandle_t *zh;
/**
* In this example this method gets the cert for your
*   environment -- you must provide
*/
char *foo_get_cert_once(char* id) { return 0; }
/** Watcher function -- empty for this example, not something you should
* do in real code */
void watcher(zhandle_t *zzh, int type, int state, const char *path,
            void *watcherCtx) {}
int main(int argc, char argv) {
 char buffer[512];
 char p[2048];
 char *cert=0;
 char appId[64];
 strcpy(appId, "example.foo_test");
 cert = foo_get_cert_once(appId);
 if(cert!=0) {
   fprintf(stderr,
           "Certificate for appid [%s] is [%s]\n",appId,cert);
   strncpy(p,cert, sizeof(p)-1);
   free(cert);
 } else {
   fprintf(stderr, "Certificate for appid [%s] not found\n",appId);
   strcpy(p, "dummy");
 }
 zoo_set_debug_level(ZOO_LOG_LEVEL_DEBUG);
 zh = zookeeper_init("localhost:3181", watcher, 10000, 0, 0, 0);
 if (!zh) {
   return errno;
 }
 if(zoo_add_auth(zh,"foo",p,strlen(p),0,0)!=ZOK)
   return 2;
 struct ACL CREATE_ONLY_ACL[] = {{ZOO_PERM_CREATE, ZOO_AUTH_IDS}};
 struct ACL_vector CREATE_ONLY = {1, CREATE_ONLY_ACL};
 int rc = zoo_create(zh,"/xyz","value", 5, &CREATE_ONLY, ZOO_EPHEMERAL,
                     buffer, sizeof(buffer)-1);
 /** this operation will fail with a ZNOAUTH error */
 int buflen= sizeof(buffer);
 struct Stat stat;
 rc = zoo_get(zh, "/xyz", 0, buffer, &buflen, &stat);
 if (rc) {
   fprintf(stderr, "Error %d for %s\n", rc, __LINE__);
 }
 zookeeper_close(zh);
 return 0;

So, this was all in ZooKeeper ACL. Hope you like our explanation of ZooKeeper Access Control using ACL’s.

Conclusion: ZooKeeper Access Control

Hence, in this ZooKeeper ACL tutorial, we have seen the whole concept of ZooKeeper access control using ACLs. Moreover, we discussed Built-in ACL SChemes along with a sample code.

Also, we saw permissions in ZooKeeper ACL. At last, we learned about ZooKeeper authentication. Still, if any doubt regarding Access Control in ZooKeeper ask in the comment tab.

Exit mobile version