zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Reed (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (ZOOKEEPER-2772) Delete node command does not honor Acl policy
Date Wed, 17 May 2017 14:33:05 GMT

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benjamin Reed resolved ZOOKEEPER-2772.
--------------------------------------
    Resolution: Not A Bug

> Delete node command does not honor Acl policy
> ---------------------------------------------
>
>                 Key: ZOOKEEPER-2772
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2772
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.4.8, 3.4.10
>            Reporter: joe smith
>
> I set the acl to not be able to delete a node - but was able to delete regardless.
> I am not familiar with the code, but a reply from Martin in the user@ mailing list seems
to confirm the issue.  I will paste his response below - sorry for the long listing.
> Martin's reply are inline prefixed with: MG>
> ----------
> From: joe smith <water4u99@yahoo.com.INVALID>
> Sent: Tuesday, May 2, 2017 8:40 AM
> To: user@zookeeper.apache.org
> Subject: Acl block detete not working
> Hi,
> I'm using 3.4.10 and setting custom aol to block deletion of a znode.  However, I'm able
to delete the node even after I've set acl from cdrwa to cra.
> Can anyone point out if I missed some step.
> Thanks for the help
> Here is the trace:
> [zk: localhost:2181(CONNECTED) 0] ls /
> [zookeeper]
> [zk: localhost:2181(CONNECTED) 1] create /test "data"
> Created /test
> [zk: localhost:2181(CONNECTED) 2] ls /
> [zookeeper, test]
> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
> MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into
zk object
>     List<ACL> acl = AclParser.parse(aclStr);
>         int version;
>         if (cl.hasOption("v")) {
>             version = Integer.parseInt(cl.getOptionValue("v"));
>         } else {
>             version = -1;
>         }
>         try {
>             Stat stat = zk.setACL(path, acl, version);
> MG>later on in DeleteCommand there is no check for aforementioned acl parameter
>   public boolean exec() throws KeeperException, InterruptedException {
>         String path = args[1];
>         int version;
>         if (cl.hasOption("v")) {
>             version = Integer.parseInt(cl.getOptionValue("v"));
>         } else {
>             version = -1;
>         }
>         try {
>         zk.delete(path, version);
>         } catch(KeeperException.BadVersionException ex) {
>             err.println(ex.getMessage());
>         }
>         return false;
> MG>as seen here the testCase works properly saving the Zookeeper object
>     LsCommand entity = new LsCommand();
>         entity.setZk(zk);
> MG>but setACL does not save the zookeeper object anywhere but instead seems to discard
zookeeper object with accompanying ACLs
> MG>can you report this bug to Zookeeper?
> https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
> ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel>
> issues.apache.org
> Apache ZooKeeper is a service for coordinating processes of distributed applications.
Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7
> MG>Thanks Joe!
> [zk: localhost:2181(CONNECTED) 5] getAcl /test
> 'myfqdn,'localhost
> : cra
> [zk: localhost:2181(CONNECTED) 6] get /testdata
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"
> Authentication is not valid : /test
> [zk: localhost:2181(CONNECTED) 8] delete /test
> [zk: localhost:2181(CONNECTED) 9] ls /
> [zookeeper]
> [zk: localhost:2181(CONNECTED) 10]
> The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message