You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Bhupendra Kumar Jain (JIRA)" <ji...@apache.org> on 2017/06/29 10:44:00 UTC
[jira] [Commented] (ZOOKEEPER-2591) The deletion of Container znode
doesn't check ACL delete permission
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068154#comment-16068154 ]
Bhupendra Kumar Jain commented on ZOOKEEPER-2591:
-------------------------------------------------
IMO, OpCode.deleteContainer request can be initiated from client even though there is no explicit API in Zookeeper.java.
In that case if ACL check is bypassed, node can be deleted by any user. So ACL check must be present if request is originated from client and ACL check can be skipped if request is system internal.
> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>
> Key: ZOOKEEPER-2591
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Reporter: Edward Ribeiro
> Assignee: Edward Ribeiro
>
> Container nodes check the ACL before creation, but the deletion doesn't check the ACL rights. The code below succeeds even tough we removed ACL access permissions for "/a".
> {code}
> zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
> ArrayList<ACL> list = new ArrayList<>();
> list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
> zk.setACL("/", list, -1);
> zk.delete("/a", -1);
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)