You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Raul Gutierrez Segales (JIRA)" <ji...@apache.org> on 2014/02/20 18:48:25 UTC

[jira] [Commented] (ZOOKEEPER-1885) Znodes deletable by anyone without having the rights to do so

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13907234#comment-13907234 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-1885:
---------------------------------------------------

Two things, first in:

{noformat}
[zk: localhost:2181(CONNECTED) 60] create /anode "somecontent" digest:'user:IAEttLCxci/qWhKN2QJ6u1nrQgw=':cdrwa
{noformat}

the extra single quotes shouldn't be there, zkCli won't parse them correctly. So you just want:

{noformat}
[zk: localhost:2181(CONNECTED) 60] create /anode "somecontent" digest:user:IAEttLCxci/qWhKN2QJ6u1nrQgw=:cdrwa
{noformat}

Second, the permissions in the ACL affect everything *under* /anode as well, not /anode alone. Because znodes can also hold other znodes (i.e.: act like "directories") the ACLs are a reference to what can be done with the children too. So, if you want to forbid anyone from deleting /anode you'd have to set the proper ACLs in /. 

Makes sense?


> Znodes deletable by anyone without having the rights to do so
> -------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1885
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1885
>             Project: ZooKeeper
>          Issue Type: Bug
>    Affects Versions: 3.4.5
>         Environment: Ubuntu 12.04 LTS 64-bit
>            Reporter: Behar Veliqi
>
> Hi,
> I'm not really sure if this is bug or a misunderstanding on my part, but when I have the problem that, when a I create a znode with an ACL as follows:
> [zk: localhost:2181(CONNECTED) 60] create /anode "somecontent" digest:'user:IAEttLCxci/qWhKN2QJ6u1nrQgw=':cdrwa
> Created /anode
> [zk: localhost:2181(CONNECTED) 61] getAcl /anode                                                               
> 'digest,''user:IAEttLCxci/qWhKN2QJ6u1nrQgw='
> : cdrwa
> I am not able to read or update the content of the node, as it should be.
> [zk: localhost:2181(CONNECTED) 62] get /anode
> Authentication is not valid : /anode
> [zk: localhost:2181(CONNECTED) 63] set /anode "update"                                                         
> Authentication is not valid : /anode
> But everyone without being authenticated can delete the node:
> [zk: localhost:2181(CONNECTED) 64] delete /anode                                                               
> [zk: localhost:2181(CONNECTED) 65] get /anode         
> Node does not exist: /anode
> Is this a bug or is there a way to set the ACL so that only the user having the credentials can delete the znode somehow?



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)