Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B2E61200C78 for ; Thu, 18 May 2017 15:42:43 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B13D4160BC4; Thu, 18 May 2017 13:42:43 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D1530160BB0 for ; Thu, 18 May 2017 15:42:42 +0200 (CEST) Received: (qmail 92310 invoked by uid 500); 18 May 2017 13:42:40 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 92298 invoked by uid 99); 18 May 2017 13:42:40 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 May 2017 13:42:40 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id A56F8CCF13 for ; Thu, 18 May 2017 13:42:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 4.494 X-Spam-Level: **** X-Spam-Status: No, score=4.494 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_MUA_MOZILLA=1.596, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id AMbVFB4KDTk0 for ; Thu, 18 May 2017 13:42:37 +0000 (UTC) Received: from sonic330-24.consmr.mail.gq1.yahoo.com (sonic330-24.consmr.mail.gq1.yahoo.com [98.137.71.87]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id BBC635F3FE for ; Thu, 18 May 2017 13:42:36 +0000 (UTC) X-YMail-OSG: EWQ6jwUVM1nWry_eX5lqQD5hpAqRyuXMnLHza8VKqBQZiI6h52_RF7gudPgm0Vk 4YyJny3sTZL2ngoVn2.c9H3U4EvFu2gDy9tzwxbQhqwVBtjzYa2_TmemwOdbigFCaH687ZkDk3Cm RI5kAFYHihCUzKVAxxg3Sq5ee9DWkD7LKKnpGKsFJQyJdoSAb8H2QJTILe0cekuyo8mS9NbZyK4X q1Or.wPMJyTNYHhngnpoapBVt0dso6Q.OA8kxjRuFkK8q45uswZoBVqQCdJ7acEHYxE8gRkU4s6Q _MdVPoSObTsMp40NqeaYyMcswUwFaL9ZynDNAt18WTmJ0fPja9oRRtixdre4UYTYll_J1LSxlJde tiiAw2H1Zh9FMNrX2Fck6wYT6EBW_LjtIKZYpBQOqkKfUcuFHjRIyZkkUzGzQbKWbCIUFe7UWsSw fqnzUyPRiE_9_BPC77XPT1VNFG1L6VZN77fzXnSoQjQf1U49YnliwZJnEFMrkiC5dVPVkvNydkBP D3skIFtsA_.U_p9GdBFatkZCpnA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic330.consmr.mail.gq1.yahoo.com with HTTP; Thu, 18 May 2017 13:42:29 +0000 Date: Thu, 18 May 2017 13:42:21 +0000 (UTC) From: joe smith Reply-To: joe smith To: "user@zookeeper.apache.org" Message-ID: <1789705161.736016.1495114941422@mail.yahoo.com> In-Reply-To: References: <1653547492.654737.1493728802170.ref@mail.yahoo.com> <1653547492.654737.1493728802170@mail.yahoo.com> <1359416476.1280034.1493760264577@mail.yahoo.com> Subject: Re: Acl block detete not working MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_736015_34920198.1495114941418" X-Mailer: WebService/1.1.9679 YahooMailNeo Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36 archived-at: Thu, 18 May 2017 13:42:43 -0000 ------=_Part_736015_34920198.1495114941418 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Edward, Benjamin, Thank you both for the clarification. =C2=A0I see where the confusion came = from: READ/WRITE are on the node but CREATE/DELETE applies only to the node= 's children. Thanks again for the help/input! =20 On Saturday, May 13, 2017 8:05 AM, Edward Ribeiro wrote: =20 Excuse me, should have looked first on docs. Interesting behaviour... Thanks Ben! Em 13 de mai de 2017 5:30 AM, "Benjamin Reed" escreveu: please check out http://zookeeper.apache.org/doc/r3.5.3-beta/zookeeperProgram mers.html#sc_ACLPermissions. DELETE prevents deletion of children (like CREATE prevents the creation of children). it does not prevent the deletion of the znode itself. ben On Fri, May 12, 2017 at 10:53 PM, Edward Ribeiro wrote: > Hey, Joe and Martin, > > A quick explanation: the code Martin posted on the mailing list is the > client side one. In those snippets the setACL is setting/changing the ACL > so it needs to pass this in the call to the server: zk.setACL(path, acl, > version). OTOH, the delete command doesn't need to pass the ACL credentials > because those are already stored in the corresponding znode (or its parent) > so it only needs to pass the path and version: zk.delete(path, version). > > What you really want to look at is here: > https://github.com/apache/zookeeper/blob/branch-3.4/src/java /main/org/apache/zookeeper/server/PrepRequestProcessor.java#L392 > > See? The delete is checking the ACL of the parent znode, but not the znod= e > that we are trying to delete. > > Well, I opened a PR https://github.com/apache/zookeeper/pull/252 to see i= f > we can fix this. > > Best regards, > Edward > > > > > > > On Tue, May 2, 2017 at 6:24 PM, joe smith > wrote: > >> Hi Martin, >> Thanks for the reply.=C2=A0 I've create a bug report: >> https://issues.apache.org/jira/browse/ZOOKEEPER-2772 >> Regards,-j >> >> >>=C2=A0 =C2=A0 On Tuesday, May 2, 2017 2:16 PM, Martin Gainty >> wrote: >> >> >>=C2=A0 #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0; >> }#yiv6303704777 >> From: joe smith >> Sent: Tuesday, May 2, 2017 8:40 AM >> To: user@zookeeper.apache.org >> Subject: Acl block detete not working Hi, >> I'm using 3.4.10 and setting custom aol to block deletion of a znode. >> However, I'm able to delete the node even after I've set acl from cdrwa to >> crwa. >> Can anyone point out if I missed some step. >> Thanks for the help >> >> Here is the trace: >> [zk: localhost:2181(CONNECTED) 0] ls / >> [zookeeper] >> >> [zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test >> >> [zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test] >> >> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost >> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid =3D >> 0x2 >> ctime =3D Tue May 02 08:28:42 EDT 2017 >> mZxid =3D 0x2 >> mtime =3D Tue May 02 08:28:42 EDT 2017 >> pZxid =3D 0x2 >> cversion =3D 0 >> dataVersion =3D 0 >> aclVersion =3D 1 >> ephemeralOwner =3D 0x0 >> dataLength =3D 4 >> numChildren =3D 0 >> >> MG>in SetAclCommand you can see the acl being parsed and acl being set b= y >> setAcl into zk object >>=C2=A0 =C2=A0 List acl =3D AclParser.parse(aclStr);=C2=A0 =C2=A0 =C2= =A0 =C2=A0 int version; if >> (cl.hasOption("v")) {=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 version = =3D Integer.parseInt(cl.getOptionV alue("v")); >>=C2=A0 =C2=A0 =C2=A0 } else {=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ve= rsion =3D -1;=C2=A0 =C2=A0 =C2=A0 =C2=A0 }=C2=A0 =C2=A0 =C2=A0 =C2=A0 try { >> Stat stat =3D zk.setACL(path, acl, version); >> MG>later on in DeleteCommand there is no check for aforementioned acl >> parameter=C2=A0 public boolean exec() throws KeeperException, >> InterruptedException {=C2=A0 =C2=A0 =C2=A0 =C2=A0 String path =3D args[1= ];=C2=A0 =C2=A0 =C2=A0 =C2=A0 int version; >>=C2=A0 =C2=A0 if (cl.hasOption("v")) {=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 version =3D Integer.parseInt(cl.getOptionValue("v")); >>=C2=A0 =C2=A0 =C2=A0 } else {=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ve= rsion =3D -1;=C2=A0 =C2=A0 =C2=A0 =C2=A0 }=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 try { >>=C2=A0 zk.delete(path, version);=C2=A0 =C2=A0 =C2=A0 =C2=A0 } catch(Keepe= rException.BadVersi onException >> ex) {=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 err.println(ex.getMessage= ());=C2=A0 =C2=A0 =C2=A0 =C2=A0 }=C2=A0 =C2=A0 =C2=A0 =C2=A0 return false; >> MG>as seen here the testCase works properly saving the Zookeeper object >>=C2=A0 LsCommand entity =3D new LsCommand();=C2=A0 =C2=A0 =C2=A0 =C2=A0 e= ntity.setZk(zk); >> >> MG>but setACL does not save the zookeeper object anywhere but instead >> seems to discard zookeeper object with accompanying ACLsMG>can you repor= t >> this bug to Zookeeper? >> https://issues.apache.org/jira/browse/ZOOKEEPER/? >> selectedTab=3Dcom.atlassian.jira.jira-projects-plugin:summary-panel >> >> | ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache >> ZooKeeper is a service for coordinating processes of distributed >> applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 = : >> Unreleased 3.3.7 | >> >> MG>Thanks Joe! >> >> [zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost >> : cra >> >> [zk: localhost:2181(CONNECTED) 6] get /testdata >> cZxid =3D 0x2 >> ctime =3D Tue May 02 08:28:42 EDT 2017 >> mZxid =3D 0x2 >> mtime =3D Tue May 02 08:28:42 EDT 2017 >> pZxid =3D 0x2 >> cversion =3D 0 >> dataVersion =3D 0 >> aclVersion =3D 1 >> ephemeralOwner =3D 0x0 >> dataLength =3D 4 >> numChildren =3D 0 >> >> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is >> not valid : /test >> >> [zk: localhost:2181(CONNECTED) 8] delete /test >> [zk: localhost:2181(CONNECTED) 9] ls /[zookeeper] >> >> [zk: localhost:2181(CONNECTED) 10] >> The auth provider imple is here: http://s000.tinyupload.com/? >> file_id=3D42827186839577179157 >> | TinyUpload.com - best file hosting solution, with no limits, totaly >> frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting. >> No download limits, no upload limit. Totaly free. | >> >> >> >> >> >> >> >> |=C2=A0 | >> >> >> >> >> =20 ------=_Part_736015_34920198.1495114941418--