Today, I will talk about the basics of ACL in ZooKeeper and getting the permission sets of ACL.
1. What is ACL?
ACL (Access Control List) is basically an authentication mechanism implemented in ZooKeeper. It makes znodes accessible to users, depending on how it is set. For example, if its scheme is set to
world and ID set to
anyone, then it is accessible by anyone in the world, thus the
world scheme and
anyone ID. However, if the scheme is anything other than the
world, then it’s a different story. Let’s talk about the basics and its attributes first.
A typical permission set of a znode looks something like this:
crdwa. This is actually an acronym (can be in any order) that stands for: Create, Read, Delete, Write, and Admin.
1.1. Getting the ACL of a Znode
To get the ACL of a particular znode, we execute the
getAcl command in the ZooKeeper client.
It will return that znode’s ACL in this format:
'[ scheme ],'[ id ] : [ permission-set ]
Syntax of the
getAcl command is:
Think of the scheme as more like a specific group of users. The
world scheme would represent everyone in the world, literally. There are also different schemes in ZooKeeper, which are
digest (individual user with unique username and password),
ip, which is an individual or group of users within the same IP address, and
host, which is a group of users within the same host.
ID I believe is self-explanatory; should the scheme be
world, then ID always has to be
anyone. There is no point to restrict specific users if it is meant to be viewed by anyone.
Here, I have an example of getting the ACL of the
getmyacl znode. By typing in the command
getAcl /getmyacl, you will get something like this:
1.2. More About Permission Set
Notice how the permission set says
crdwa. If you were trying to get the permission set of a znode in Java, you would get an integer value in return.
First off, you would call
getPerms method to get the permission set of a znode in Java. As mentioned earlier, it returns an integer value. In this case, with this znode having a permission set of
crdwa, in Java it returns 31, meaning that the user is authorized to create a child znode, read data of that znode, delete that znode, overwrite (or set data) the znode, and has administrative rights of that znode.
Each permission (create, read, delete, write, admin) is actually a bit, either 0 or 1, where 0 represents not allowed, and 1 represents allowed. So, if you convert that 31 into a binary number, you would get 11111. Refer to the following bullet points:
- Read – 2^0
- Write – 2^1
- Create – 2^2
- Delete – 2^3
- Admin – 2^4
Say we have a
getmyaccl znode. Create, read, and admin are allowed, but delete and write are not. According to my little bullet points above, in Java it would return 21 for the permission set. Convert that to binary, we get 10101 ( (2^4 = 16) + (2^2 = 4) + (2^0 = 1) ) = 21
Let’s try to change its permission set to
cwa (create, write, admin) and see what integer value is returned in Java.
This time it returned 22, or 10110 ( (2^4 = 16) + (2^2 = 4) + (2^1 = 2) ) = 22
To get the permission set of a znode, we need to import ACL class (from ZooKeeper package) and ArrayList. First, we need to create an instance of ArrayList that can store ACL object, and create a new instance of ACL object, assign that to the first element of the ArrayList. What’s interesting is that ArrayList contains only one element. Following is the code snippet on how to get the permission set of a znode:
List acl = new ArrayList(); // create new instance of ArrayList to store ACL object acl = zk.getACL("/getmyacl", stat); ACL aclElement = acl.get(0); System.out.println(aclElement.getPerms()); // for printing the permission set on the screen. // this is also how I get 21 and 22 earlier for the permission set.
When creating a znode the simplest way, any user is authorized the full
crdwa permission set. I will talk more about setting the permission set in 2 different blog entries: First one will be the easy; where any user can access the znode. Second one will be tricky (also to talk about and explain), which involves an individual’s username and password, group of users within the same host or the IP address.
This sums up how to get the permission set of a znode. As usual, thanks for reading, and happy zookeeping!