THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Perform a rolling restart setting the JAAS login file, which enables brokers to authenticate. At the end of the rolling restart, brokers are able to manipulate znodes with strict ACLs, but they will not create znodes with those ACLs.
- Execute a tool called
ZkSecurityMigrator
(there is a script under ./bin and the code is underkafka.admin
. This tool traverses the corresponding sub-trees changing the ACLs of the znodes. - Perform a second rolling restart of brokers, this time setting the configuration parameter zookeeper.set.acl to true, which enables ZkUtils to use secure ACLs when creating znodes.
...
- Execute a tool called
ZkSecurityMigrator
(there is a script under ./bin and the code is underkafka.admin
). This tool traverses the corresponding sub-trees changing the ACLs of the znodes.
Rejected Alternatives
One way to restrict access to a ZooKeeper ensemble is to use firewalls. This approach is reasonable, but difficult to implement in a fine-grained manner, which ends up leaving the metadata exposed all the same. Using traffic filtering to complement the feature described here is certainly a recommended option, so this option is not really rejected, but it is deemed insufficient.