zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bhupendra Kumar Jain (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2591) The deletion of Container znode doesn't check ACL delete permission
Date Fri, 30 Jun 2017 08:16:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16069679#comment-16069679
] 

Bhupendra Kumar Jain commented on ZOOKEEPER-2591:
-------------------------------------------------

I agree that DeleteContainer client API is not provided but what If a malicious user creates
the DeleteContainer request by his own and sends to server ? do server have any check to safeguard
against this ? 

> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2591
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>            Reporter: Edward Ribeiro
>            Assignee: Edward Ribeiro
>
> Container nodes check the ACL before creation, but the deletion doesn't check  the ACL
rights. The code below succeeds even tough we removed ACL access permissions for "/a".
> {code}
>         zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
>         ArrayList<ACL> list = new ArrayList<>();
>         list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
>         zk.setACL("/", list, -1);
>         zk.delete("/a", -1);
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message