zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rakesh R <rake...@huawei.com>
Subject RE: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd
Date Mon, 04 Jun 2012 12:48:10 GMT


Thank you Pat :)

________________________________________
From: Patrick Hunt [phunt@apache.org]
Sent: Wednesday, May 30, 2012 10:01 PM
To: user@zookeeper.apache.org
Subject: Re: sasl authentication is given to the user during create nodes, node deletion is
happening with 'delete' cmd

You can use setacl on root if you'd like to change permissions to be
more restrictive.

Patrick

On Fri, May 25, 2012 at 7:52 AM, Rakesh R <rakeshr@huawei.com> wrote:
> Hi Pat,
>
> Thanks for looking. Actually I'm using 3.4.3 release, and I have seen the similar checks
for parsing the ACLs in this version also.
>
> I have created /app1 and /app2 using the following commands:
>
> create /app1 "" sasl:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM:cdrwa
> create /app2 "" sasl:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM:cdrwa
>
> I just saw the following acl checks in the PrepRequestProcessor.java for delete command:
>
>                checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, request.authInfo);
>
> Here delete command is using 'parentRecord.acl' for Acl checks. In my case app1 and app2
is created directly under the '/'.
> If my understanding is correct, '/' has ZooDefs.Ids.ANYONE_ID_UNSAFE permission and when
any user comes for deleting the children of '/', its just validating against 'world:anyone'
of root and allowing to delete. I'm worrying about the authentication of the znodes under
root node ? . I 'd like to know your opinion on this.
>
> Thanks,
> Rakesh
> ________________________________________
> From: Patrick Hunt [phunt@apache.org]
> Sent: Friday, May 25, 2012 5:48 AM
> To: user@zookeeper.apache.org
> Subject: Re: sasl authentication is given to the user during create nodes, node deletion
is happening with 'delete' cmd
>
> When you created the znodes did you specify acls or just take the
> defaults? (zkcli defaults are permissive), here's the create znode
> code:
>
>        List<ACL> acl = ZooDefs.Ids.OPEN_ACL_UNSAFE;
>        if (args.length > 3) {
>            acl = AclParser.parse(args[3]);
>        }
>
> Patrick
>
> On Tue, May 22, 2012 at 3:49 AM, Rakesh R <rakeshr@huawei.com> wrote:
>> Hi All,
>>
>> I'm trying to use the ZooKeeper sasl. Actually I'm a bit confused when using the
delete command.
>>
>> Say, I have created two znodes:
>>
>>  'app1' directly under '/' with hbase/host-10-18-40-40.hadoop.com@HADOOP.COM<mailto:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM>
>>  'app2' directly under '/' with hbase/host-10-18-40-40.hadoop.com@HADOOP.COM<mailto:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM>
>>
>> Now, I have logged in as zkcli/host-10-18-40-40.hadoop.com@HADOOP.COM<mailto:zkcli/host-10-18-40-40.hadoop.com@HADOOP.COM>
and this is not given as super user. When I tried to delete the znodes '/app1' and '/app2',
it is allowing and not authenticating.
>>
>> Here, I'm thinking that 'zkcli' will not have the access to delete these two nodes.
>>
>> Is this a problem or anything I'm missing. Can you please help me to resolve this
and how the security can be applied here.
>>
>>
>> Thanks,
>> Rakesh

Mime
View raw message