zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1782) zookeeper.superUser is not as super as superDigest
Date Wed, 21 Jun 2017 18:28:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057980#comment-16057980
] 

ASF GitHub Bot commented on ZOOKEEPER-1782:
-------------------------------------------

Github user arshadmohammad commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/282#discussion_r123329247
  
    --- Diff: src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java
---
    @@ -38,11 +38,6 @@ public String getScheme() {
         }
     
         public boolean matches(String id,String aclExpr) {
    -        if (System.getProperty("zookeeper.superUser") != null) {
    -            if (id.equals(System.getProperty("zookeeper.superUser")) || id.equals(aclExpr))
{
    -              return true;
    -            }
    -        }
             if ((id.equals("super") || id.equals(aclExpr))) {
    --- End diff --
    
    Thanks @revans2 for the details.
    On second thought, it would not be appropriate to break the backward compatibility. So
can you please revert changes done for this comment. Rest all looks good to me.


> zookeeper.superUser is not as super as superDigest
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1782
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1782
>             Project: ZooKeeper
>          Issue Type: Bug
>    Affects Versions: 3.4.5
>            Reporter: Robert Joseph Evans
>            Assignee: Robert Joseph Evans
>         Attachments: zk-1782.patch, zk-1782.patch
>
>
> The zookeeper.superUser system property does not fully grant super user privileges, like
zookeeper.DigestAuthenticationProvider.superDigest does.
> zookeeper.superUser only has as many privileges as the sasl ACLs on the znode being accessed.
 This means that if a znode only has digest ACLs zookeeper.superUser is ignored.  Or if a
znode has a single sasl ACL that only has read privileges zookeeper.superUser only has read
privileges.
> The reason for this is that SASLAuthenticationProvider implements the superUser check
in the matches method, instead of having the super user include a new Id("super","") as Digest
does.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message