Configure Zookeeper ACLs

The znodes in Zookeeper have the World privilege by default. With the approach shown below, you can restrict administrative access for Zookeeper znodes to only the IP addresses of the Zookeeper, Kafka, and Consumer machines. Follow the steps below to change the ACL of znodes to an IP based scheme.

• Connect to Zookeeper Client and Enable ACLs for Particular Nodes

• Test Consumer and Kafka

Connect to Zookeeper Client and Enable ACLs for Particular Nodes

1. Locate the file you need to connect to Zookeeper.

   Windows

   Copy

   C:\Program Files (x86)\MicroStrategy\Messaging Services\Kafka\kafka_2.13-3.2.0\bin\windows\zookeeper-shell.bat

   Linux

   Copy

   /opt/MicroStrategy/MessagingServices/Kafka/kafka_2.13-3.2.0/bin/zookeeper-shell.sh

2. Connect to Zookeeper using zookeeper-shell.bat <IP1>:<Port> , <IP2>:<Port>.

   Windows

   .\zookeeper-shell.bat 10.23.39.148:2181,10.23.35.115:2181

   Linux

   ./zookeeper-shell.sh 10.23.36.181:2181,10.23.33.221:2181

   

3. Verify the znodes in Zookeeper have the World privilege by running the following command:

   Copy

   getAcl /brokers

   

4. Reset ACLs on all of the znodes.

   Copy

   setAcl -R / ip:<IP1>:cdrwa,ip:<IP2>:cdrwa,ip:<IP3>:cdrwa,...

   setAcl -R / ip:10.250.151.242:cdrwa,ip:10.250.155.99:cdrwa

   

5. Verify the ACL of individual nodes by displaying all of the allowed znodes using the following command:

   Copy

   getAcl /brokers

   

Ensure that IP addresses of all Kafka, Zookeeper, and Consumer machines are included for the system to continue to work. In addition to IP addresses. you can also include 127.0.0.1 for local host access.

Test Consumer and Kafka

Once you set ACLs, test to make sure Consumer and Kafka are working.

1. Stop all Kafka nodes.

2. Stop all Zookeeper nodes.

3. Start all Zookeeper nodes.

4. After all Zookeeper nodes are up, start all Kafka nodes.

5. Start Consumer.