Acceso protegido a Zookeeper basado en ACLs

1.- Connect to zookeepper client in shell:
zookeeper-client

2.- Authenticate, if needed (when root path is not set as world:anyone:cdrwa):
addauth digest osuser:osuser123

3.- List znodes:
ls /

4.- Get znodes permissions:
getAcl /
getAcl /registry

5.- Set znodes permissions as needed:
setAcl / auth:osuser:hadoop123:cdrwa
setAcl /registry auth:osuser:osuser123:cdrwa 

This is the list of znodes where we should apply the permissions:
[registry, hiveserver2, hiveserver2-leader, zookeeper, hadoop-ha, rmstore, atsv2-hbase-unsecure, ambari-metrics-cluster]

Revert permissions (Execute steps 1, 2, 3 and then) -> setAcl /znode_name world:anyone:cdrwa

setAcl /someZNode ip:192.168.1.5:crdwa

clientPort=2181
initLimit=10
autopurge.purgeInterval=24
syncLimit=5
tickTime=3000
dataDir=/hadoop/zookeeper
autopurge.snapRetainCount=30
server.1=zookeeper1.myserver.com:2888:3888
server.2=zookeeper2.myserver.com:2888:3888
server.3=zookeeper3.myserver.com:2888:3888

About the permission set this is the equivalence:
    • (R)ead
    • (W)rite 
    • (C)reate
    • (D)elete
    • (A)dmin

java -cp "/usr/hdp/3.1.4.0-315/hadoop/lib/zookeeper-3.4.6.3.1.4.0-315.jar:/usr/hdp/3.1.4.0-315/hadoop/lib/slf4j-api-1.7.25.jar" org.apache.zookeeper.server.auth.DigestAuthenticationProvider hadoop:hadoop_pass

ZooKeeper -server host:port cmd args
        stat path [watch]
        set path data [version]
        ls path [watch]
        delquota [-n|-b] path
        ls2 path [watch]
        setAcl path acl
        setquota -n|-b val path
        history
        redo cmdno
        printwatches on|off
        delete path [version]
        sync path
        listquota path
        rmr path
        get path [watch]
        create [-s] [-e] path data acl
        addauth scheme auth
        quit
        getAcl path
        close
        connect host:port