You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2015/02/03 16:55:34 UTC
[jira] [Commented] (ACCUMULO-3557) No write ACL set on
/accumulo/instances/...
[ https://issues.apache.org/jira/browse/ACCUMULO-3557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303476#comment-14303476 ]
Josh Elser commented on ACCUMULO-3557:
--------------------------------------
Ideally, we need these ZNodes to still be open for global read; however, we would want to add a write ACL to each node (like we do to protect the users data) to prevent unauthenticated users from changing the node unintentionally or maliciously.
> No write ACL set on /accumulo/instances/...
> -------------------------------------------
>
> Key: ACCUMULO-3557
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3557
> Project: Accumulo
> Issue Type: Improvement
> Components: zookeeper
> Reporter: Josh Elser
> Priority: Critical
> Fix For: 1.7.0
>
>
> It's common for users to have four "arguments" to make a connection to Accumulo: zookeeper quorum string, instance name, username and password.
> The instance name is used to find the instanceID using {{/accumulo/instances/...}} in ZooKeeper. It appears that anyone can write in the {{/accumulo/instances}} ZNode. This seems suspect, because any unauthenticated user can alter the state of ZooKeeper and break users connecting to Accumulo or force them to connect to a different Accumulo instance.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)