zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bharath Ravi Kumar <reachb...@gmail.com>
Subject Re: Problem specifying ACLs
Date Sun, 07 Feb 2016 05:39:32 GMT
Hi Patrick,

Thanks for the response. Turns out it was an oversight at my end. I had
assumed I had set world:anyone:r on "/" in the post-deployment script, but
the command had failed to execute after a recent change. Once that was
fixed, the rest of the acl setup worked just fine. My apologies for the
oversight.

-Bharath


On Sun, Feb 7, 2016 at 9:35 AM, Patrick Hunt <phunt@apache.org> wrote:

> Hi Bharath. I could be wrong, but I believe you are mis-interpreting
> the permissions. Please see:
>
> http://zookeeper.apache.org/doc/r3.4.5/zookeeperProgrammers.html#sc_ACLPermissions
>
> Note that create/delete apply to child nodes, not the node itself.
>
> "DELETE: you can delete a child node"
>
> I don't know what you've set for "/" though, so it's hard to say
> definitively.
>
> Patrick
>
> On Sat, Feb 6, 2016 at 5:47 PM, Bharath Ravi Kumar <reachbach@gmail.com>
> wrote:
> > Can someone please clarify if this is indeed a bug, or if my usage is
> > incorrect? (I have *not* set zookeeper.skipACL to true).
> >
> > Thanks.
> >
> > On Sat, Feb 6, 2016 at 8:14 PM, Bharath Ravi Kumar <reachbach@gmail.com>
> > wrote:
> >
> >> +dev
> >> On 06-Feb-2016 3:48 pm, "Bharath Ravi Kumar" <reachbach@gmail.com>
> wrote:
> >>
> >>> Hi,
> >>>
> >>> It appears that ACL's set through setAcl or create aren't being
> honoured.
> >>> I  created a node through the zkCli as follows:
> >>> create /apps apps_root
> >>> digest:appsadmin:ukP2eoiopvSwCQaWSu3LI7qCLOQ=:crdwa,world:anyone:r
> >>> I expect the above to have the effect of granting read (and list)
> >>> permissions on /apps but to allow appsadmin to perform any action on
> the
> >>> node. I verified that the ACL's had been set by running getAcl:
> >>>
> >>> getAcl /apps
> >>> 'digest,'appsadmin:ukP2eoiopvSwCQaWSu3LI7qCLOQ=
> >>> : cdrwa
> >>> 'world,'anyone
> >>> : r
> >>>
> >>> After creating the node, I exited the cli and launched it again, this
> >>> time not executing addauth. As an anonymous user, I was able to get and
> >>> list /apps, but not create a child node. However, I *could
> successfully*
> >>> rmr /apps as an anon user, which  shouldn't be the case. I'm running zk
> >>> 3.4.5 as standalone on OpenJDK 1.8 (tried with sun jdk 1.7 as well) on
> >>> Ubuntu 14.04.  Can someone explain if this behaviour is expected?
> >>>
> >>> Thanks,
> >>> Bharath
> >>>
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message