Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 17804200C82 for ; Sat, 13 May 2017 07:53:10 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 15F72160BC8; Sat, 13 May 2017 05:53:10 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 348D9160BB8 for ; Sat, 13 May 2017 07:53:09 +0200 (CEST) Received: (qmail 90325 invoked by uid 500); 13 May 2017 05:53:08 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 90307 invoked by uid 99); 13 May 2017 05:53:08 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 13 May 2017 05:53:08 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id D4DAFC1EDB for ; Sat, 13 May 2017 05:53:07 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id LZg7i6UntfOb for ; Sat, 13 May 2017 05:53:07 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 295F55FC3D for ; Sat, 13 May 2017 05:53:06 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 36E25E05A2 for ; Sat, 13 May 2017 05:53:05 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 728BF24015 for ; Sat, 13 May 2017 05:53:04 +0000 (UTC) Date: Sat, 13 May 2017 05:53:04 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: dev@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ZOOKEEPER-2772) Delete node command does not honor Acl policy MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sat, 13 May 2017 05:53:10 -0000 [ https://issues.apache.org/jira/browse/ZOOKEEPER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009154#comment-16009154 ] ASF GitHub Bot commented on ZOOKEEPER-2772: ------------------------------------------- Github user eribeiro commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/252#discussion_r116351552 --- Diff: src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java --- @@ -389,8 +389,8 @@ protected void pRequest2Txn(int type, long zxid, Request request, Record record, parentPath = path.substring(0, lastSlash); parentRecord = getRecordForPath(parentPath); ChangeRecord nodeRecord = getRecordForPath(path); - checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, - request.authInfo); + checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, request.authInfo); --- End diff -- I see that when we create a znode we need to check the ACL of the parent. But do we still need to check the parent when we are deleting? /cc @phunt @fpj > Delete node command does not honor Acl policy > --------------------------------------------- > > Key: ZOOKEEPER-2772 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2772 > Project: ZooKeeper > Issue Type: Bug > Components: security > Affects Versions: 3.4.8, 3.4.10 > Reporter: joe smith > > I set the acl to not be able to delete a node - but was able to delete regardless. > I am not familiar with the code, but a reply from Martin in the user@ mailing list seems to confirm the issue. I will paste his response below - sorry for the long listing. > Martin's reply are inline prefixed with: MG> > ---------- > From: joe smith > Sent: Tuesday, May 2, 2017 8:40 AM > To: user@zookeeper.apache.org > Subject: Acl block detete not working > Hi, > I'm using 3.4.10 and setting custom aol to block deletion of a znode. However, I'm able to delete the node even after I've set acl from cdrwa to cra. > Can anyone point out if I missed some step. > Thanks for the help > Here is the trace: > [zk: localhost:2181(CONNECTED) 0] ls / > [zookeeper] > [zk: localhost:2181(CONNECTED) 1] create /test "data" > Created /test > [zk: localhost:2181(CONNECTED) 2] ls / > [zookeeper, test] > [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost > [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra > cZxid = 0x2 > ctime = Tue May 02 08:28:42 EDT 2017 > mZxid = 0x2 > mtime = Tue May 02 08:28:42 EDT 2017 > pZxid = 0x2 > cversion = 0 > dataVersion = 0 > aclVersion = 1 > ephemeralOwner = 0x0 > dataLength = 4 > numChildren = 0 > MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object > List acl = AclParser.parse(aclStr); > int version; > if (cl.hasOption("v")) { > version = Integer.parseInt(cl.getOptionValue("v")); > } else { > version = -1; > } > try { > Stat stat = zk.setACL(path, acl, version); > MG>later on in DeleteCommand there is no check for aforementioned acl parameter > public boolean exec() throws KeeperException, InterruptedException { > String path = args[1]; > int version; > if (cl.hasOption("v")) { > version = Integer.parseInt(cl.getOptionValue("v")); > } else { > version = -1; > } > try { > zk.delete(path, version); > } catch(KeeperException.BadVersionException ex) { > err.println(ex.getMessage()); > } > return false; > MG>as seen here the testCase works properly saving the Zookeeper object > LsCommand entity = new LsCommand(); > entity.setZk(zk); > MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs > MG>can you report this bug to Zookeeper? > https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel > ZooKeeper - ASF JIRA - issues.apache.org > issues.apache.org > Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7 > MG>Thanks Joe! > [zk: localhost:2181(CONNECTED) 5] getAcl /test > 'myfqdn,'localhost > : cra > [zk: localhost:2181(CONNECTED) 6] get /testdata > cZxid = 0x2 > ctime = Tue May 02 08:28:42 EDT 2017 > mZxid = 0x2 > mtime = Tue May 02 08:28:42 EDT 2017 > pZxid = 0x2 > cversion = 0 > dataVersion = 0 > aclVersion = 1 > ephemeralOwner = 0x0 > dataLength = 4 > numChildren = 0 > [zk: localhost:2181(CONNECTED) 7] set /test "testwrite" > Authentication is not valid : /test > [zk: localhost:2181(CONNECTED) 8] delete /test > [zk: localhost:2181(CONNECTED) 9] ls / > [zookeeper] > [zk: localhost:2181(CONNECTED) 10] > The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157 -- This message was sent by Atlassian JIRA (v6.3.15#6346)