I assume ZK is configured to use Kerberos. I would check few configurations on the ZK side to make sure that Kerberos configurations are working fine.
On the ZK server side configurations, 1) authProvider is configured to use SASL Authentication provider2) ZK server is using approptiate JAAS entries to run in Kerberos mode
Validate if ZK is running properly in secure mode. Then using standard zkCli.sh with proper JAAS configuration validate if it can connect to ZK, create/access znode, set ACL on the node and validate if ACL is working properly.
Having verified this, we could then change the flink configuration to set ACL to "creator" mode or "open" and enable/diable client SASL connection.
Hope this helps.
RegardsVijay
On Thursday, March 2, 2017 7:39 AM, Stephan Ewen <
[hidden email]> wrote:
Hi!
Is the ACL Kerberos-based? If yes, you need to make sure the Kerberos
module for ZooKeeper is loaded:
https://ci.apache.org/projects/flink/flink-docs-release-1.2/ops/security-kerberos.htmlhttps://ci.apache.org/projects/flink/flink-docs-release-1.2/setup/jobmanager_high_availability.html#configuring-for-zookeeper-securityStephan
On Thu, Mar 2, 2017 at 4:05 PM, Till Rohrmann <
[hidden email]> wrote:
> Hi Zhangrucong,
>
> I don't exactly know what's needed to use the ACL of ZooKeeper. I'm pulling
> Vijay in who implemented this feature. He probably knows more about it.
>
> Cheers,
> Till
>
> On Thu, Mar 2, 2017 at 3:09 AM, Zhangrucong <
[hidden email]>
> wrote:
>
> > Hi:
> >
> > I want to use the ACL of Zookeeper. So I configure the following
> > configurations:
> >
> >
> >
> > 1、 high-availability.zookeeper.path.root: flink234
> >
> > 2、 high-availability.zookeeper.client.acl: creator
> >
> > 3、 zookeeper.sasl.disable: false
> >
> >
> >
> > But, I use ZK client to get the ACL, the result is :
> >
> >
> >
> > It seems the acl policy “creator” is not excuted.
> >
> > May I miss anything to configure besides the above configurations.
> >
> >
> >
> > Thanks in advance!
> >
> >
> >
>
Locked
