zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "maoling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2584) when setquota for a znode and set ip/user ACL on /zookeeper/quota, still able to delete the quota from client with another ip though it says "Authentication is not valid"
Date Tue, 28 May 2019 11:02:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16849598#comment-16849598
] 

maoling commented on ZOOKEEPER-2584:
------------------------------------

I got it.

1. the scope of d(delete) of *crdwa* is only the child nodes(first level) under the path you
input.

If one user do this: *setAcl /zookeeper/quota auth:user:pass:crdwa*

ohters cannot have the permission to operate the nodes under */zookeeper/quota*, but still
have the delete permission to delete the */zookeeper/quota/test/zookeeper_limits* under */zookeeper/quota/test*

*ACL has no Inheritance relationship.*

2.To solve this issue, users can do this:

*setAcl /zookeeper/quota/test auth:user1:12345:crwad*

or

*setAcl -R /zookeeper/quota auth:user1:12345:crwad*  (availble in the master branch)

> when setquota for a znode and set ip/user ACL on /zookeeper/quota, still able to delete
the quota from client with another ip though it says "Authentication is not valid"
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2584
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2584
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.1
>            Reporter: Rakesh Kumar Singh
>            Assignee: Rakesh Kumar Singh
>            Priority: Major
>
> when setquota for a znode and set ip/user ACL on /zookeeper/quota, still able to delete
the quota from client with another ip though it says "Authentication is not valid"
> >> Set quota and ip ACL from one client (with IP 10.18.101.80)
> [zk: 10.18.101.80:2181(CONNECTED) 9] setquota -n 10 /test
> [zk: 10.18.101.80:2181(CONNECTED) 10] setAcl /zookeeper/quota ip:10.18.101.80:crdwa
> [zk: 10.18.101.80:2181(CONNECTED) 11] 
> >> Try to delete the set quota using different client(with ip 10.18.219.50)
> [zk: 10.18.219.50:2181(CONNECTED) 22] listquota /test
> absolute path is /zookeeper/quota/test/zookeeper_limits
> Output quota for /test count=10,bytes=-1
> Output stat for /test count=1,bytes=5
> [zk: 10.18.219.50:2181(CONNECTED) 23] delquota /test
> Authentication is not valid : /zookeeper/quota/test
> [zk: 10.18.219.50:2181(CONNECTED) 24] listquota /test
> absolute path is /zookeeper/quota/test/zookeeper_limits
> quota for /test does not exist.
> >> Here quota has been deleted though it is saying "Authentication is not valid.."
which is not correct.
> Now try to set the quota from another ip itself, it fails which is as expected
> [zk: 10.18.219.50:2181(CONNECTED) 25] setquota -n 10 /test
> Authentication is not valid : /zookeeper/quota/test
> [zk: 10.18.219.50:2181(CONNECTED) 26] listquota /test
> absolute path is /zookeeper/quota/test/zookeeper_limits
> quota for /test does not exist.
> >> Sameway when we set user ACL...
> [zk: 10.18.101.80:2181(CONNECTED) 26] addauth digest user:pass
> [zk: 10.18.101.80:2181(CONNECTED) 27] create /test hello
> Node already exists: /test
> [zk: 10.18.101.80:2181(CONNECTED) 28] delete /test
> [zk: 10.18.101.80:2181(CONNECTED) 29] create /test hello
> Created /test
> [zk: 10.18.101.80:2181(CONNECTED) 30] 
> [zk: 10.18.101.80:2181(CONNECTED) 30] setquota -n 10 /test
> [zk: 10.18.101.80:2181(CONNECTED) 31] setAcl /zookeeper/quota auth:user:pass:crdwa
> [zk: 10.18.101.80:2181(CONNECTED) 32] 
> [zk: 10.18.219.50:2181(CONNECTED) 27] listquota /test
> absolute path is /zookeeper/quota/test/zookeeper_limits
> Output quota for /test count=10,bytes=-1
> Output stat for /test count=1,bytes=5
> [zk: 10.18.219.50:2181(CONNECTED) 28] delquota /test
> Authentication is not valid : /zookeeper/quota/test
> [zk: 10.18.219.50:2181(CONNECTED) 29] listquota /test
> absolute path is /zookeeper/quota/test/zookeeper_limits
> quota for /test does not exist.
> [zk: 10.18.219.50:2181(CONNECTED) 30]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message