zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rakesh R <rake...@huawei.com>
Subject RE: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd
Date Fri, 25 May 2012 14:52:04 GMT
Hi Pat,

Thanks for looking. Actually I'm using 3.4.3 release, and I have seen the similar checks for
parsing the ACLs in this version also.

I have created /app1 and /app2 using the following commands:

create /app1 "" sasl:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM:cdrwa
create /app2 "" sasl:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM:cdrwa

I just saw the following acl checks in the PrepRequestProcessor.java for delete command:
                checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, request.authInfo);

Here delete command is using 'parentRecord.acl' for Acl checks. In my case app1 and app2 is
created directly under the '/'. 
If my understanding is correct, '/' has ZooDefs.Ids.ANYONE_ID_UNSAFE permission and when any
user comes for deleting the children of '/', its just validating against 'world:anyone' of
root and allowing to delete. I'm worrying about the authentication of the znodes under root
node ? . I 'd like to know your opinion on this.

From: Patrick Hunt [phunt@apache.org]
Sent: Friday, May 25, 2012 5:48 AM
To: user@zookeeper.apache.org
Subject: Re: sasl authentication is given to the user during create nodes, node deletion is
happening with 'delete' cmd

When you created the znodes did you specify acls or just take the
defaults? (zkcli defaults are permissive), here's the create znode

        List<ACL> acl = ZooDefs.Ids.OPEN_ACL_UNSAFE;
        if (args.length > 3) {
            acl = AclParser.parse(args[3]);


On Tue, May 22, 2012 at 3:49 AM, Rakesh R <rakeshr@huawei.com> wrote:
> Hi All,
> I'm trying to use the ZooKeeper sasl. Actually I'm a bit confused when using the delete
> Say, I have created two znodes:
>  'app1' directly under '/' with hbase/host-10-18-40-40.hadoop.com@HADOOP.COM<mailto:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM>
>  'app2' directly under '/' with hbase/host-10-18-40-40.hadoop.com@HADOOP.COM<mailto:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM>
> Now, I have logged in as zkcli/host-10-18-40-40.hadoop.com@HADOOP.COM<mailto:zkcli/host-10-18-40-40.hadoop.com@HADOOP.COM>
and this is not given as super user. When I tried to delete the znodes '/app1' and '/app2',
it is allowing and not authenticating.
> Here, I'm thinking that 'zkcli' will not have the access to delete these two nodes.
> Is this a problem or anything I'm missing. Can you please help me to resolve this and
how the security can be applied here.
> Thanks,
> Rakesh

View raw message