zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2779) Add option to not set ACL for reconfig node
Date Tue, 09 May 2017 14:18:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16002752#comment-16002752
] 

ASF GitHub Bot commented on ZOOKEEPER-2779:
-------------------------------------------

GitHub user Randgalt opened a pull request:

    https://github.com/apache/zookeeper/pull/248

    [ZOOKEEPER-2779} Provide a means to disable setting of the Read Only ACL for the reconfig
node

    Provide a means to disable setting of the Read Only ACL for the reconfig node added in
ZOOKEEPER-2014. That change made it very cumbersome to use the reconfig feature and also could
worsen security as the entire ZK database is open to "super" user while the reconfig node
is being changed (the only possible method as of ZOOKEEPER-2014).

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Randgalt/zookeeper ZOOKEEPER-2779

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/248.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #248
    
----
commit de07e525ec8b4aa24283eedb159f8df2b576e71b
Author: randgalt <jordan@jordanzimmerman.com>
Date:   2017-05-09T14:12:41Z

    Provide a means to disable setting of the Read Only ACL for the reconfig node added in
ZOOKEEPER-2014. That change made it very cumbersome to use the reconfig feature and also could
worsen security as the entire ZK database is open to "super" user while the reconfig node
is being changed (the only possible method as of ZOOKEEPER-2014).

----


> Add option to not set ACL for reconfig node
> -------------------------------------------
>
>                 Key: ZOOKEEPER-2779
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2779
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.5.3
>            Reporter: Jordan Zimmerman
>            Assignee: Jordan Zimmerman
>             Fix For: 3.5.4, 3.6.0
>
>
> ZOOKEEPER-2014 changed the behavior of the /zookeeper/config node by setting the ACL
to {{ZooDefs.Ids.READ_ACL_UNSAFE}}. This change makes it very cumbersome to use the reconfig
APIs. It also, perversely, makes security worse as the ZooKeeper instance must be opened to
"super" user while enabled reconfig (per {{ReconfigExceptionTest.java}}). Provide a mechanism
for savvy users to disable this ACL so that an application-specific custom ACL can be set.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message