How to generate a Zookeeper root password (superDigest) using standard unix tools

You may want to generate a Zookeeper superDigest without making use of the built-in

org.apache.zookeeper.server.auth.DigestAuthenticationProvider

class if, for example, you’re using configuration management tools such as Puppet or Chef and normally generate authentication values outside of the environment where they’ll be used.

The Zookeeper documentation on this is vague at best, and I eventually had to resort to reading the source code for this function, which for some reason includes the “super:” prefix in the digest. This can be seen in the source code responsible for the generation of the digest:

 static public String generateDigest(String idPassword)
         throws NoSuchAlgorithmException {
     String parts[] = idPassword.split(":", 2);
     byte digest[] = MessageDigest.getInstance("SHA1").digest(
     idPassword.getBytes());
     return parts[0] + ":" + base64Encode(digest);
 }

The function clearly splits the input (in the format “super:password”) into two sections, then promptly ignores that array and uses the full input for the digest directly following that.

For example, if your password is “hunter2”, you need to do the following to generate a functioning digest:

$ echo -n "super:hunter2" | openssl sha1 -binary | base64
V1o6/gHR24bI2f+NOZanWPgr+eg=

And then when you lauch Zookeeper, you would use the following in addition to the standard command line:

-Dzookeeper.DigestAuthenticationProvider.superDigest=super:V1o6/gHR24bI2f+NOZanWPgr+eg=

Took me a while to figure out that my original attempts weren’t working because I didn’t include “super:” in the password.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s