zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bhupendra Kumar Jain (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2591) The deletion of Container znode doesn't check ACL delete permission
Date Sat, 08 Jul 2017 18:13:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16079260#comment-16079260

Bhupendra Kumar Jain commented on ZOOKEEPER-2591:

As I understand, Request object  (org.apache.zookeeper.server.Request) is created in server
side only.  Idea was to have boolean to indicate the type of request like system internal
request or client request.  Since this boolean will be set only by server so client can not
control this. We can also do this by some other way like extend Request to create DeleteContainerRequest
and check the request oject instance type in prepRequestProcessor.

Another possibility is to somehow disallow OpCode.deleteContainer coming from a connected

I agree your idea  to disallow deleteContainer request from client completely. That way there
is no need to add ACL check . I think we can check this in processPacket() method before submitting
the request to request Processor.

> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>                 Key: ZOOKEEPER-2591
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>            Reporter: Edward Ribeiro
>            Assignee: Edward Ribeiro
> Container nodes check the ACL before creation, but the deletion doesn't check  the ACL
rights. The code below succeeds even tough we removed ACL access permissions for "/a".
> {code}
>         zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
>         ArrayList<ACL> list = new ArrayList<>();
>         list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
>         zk.setACL("/", list, -1);
>         zk.delete("/a", -1);
> {code}

This message was sent by Atlassian JIRA

View raw message