You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by "Fournier, Camille F. [Tech]" <Ca...@gs.com> on 2010/10/19 22:01:33 UTC

Digest user ACL check failing

The ZK documentation says:
New in 3.2: Enables a ZooKeeper ensemble administrator to access the znode hierarchy as a "super" user. In particular no ACL checking occurs for a user authenticated as super.

However, in some testing today I created a digest user, logged in as this user, set the ACLs for "/" to Ids.READ_ACL_UNSAFE, and now even when I am logged in as the superuser, I cannot actually change this ACL or write nodes below it on the tree. So it does not actually seem to be the case that "super" skips ACL checks. Is this a bug or a feature?

Thanks,
Camille

RE: Digest user ACL check failing

Posted by "Fournier, Camille F. [Tech]" <Ca...@gs.com>.

Already did. I think it's for any znode, given the way the bug presents.
https://issues.apache.org/jira/browse/ZOOKEEPER-904
I have a test and fix for this (described in the tracker), if you agree this is a bug I will attach it.

C


-----Original Message-----
From: Patrick Hunt [mailto:phunt@apache.org] 
Sent: Wednesday, October 20, 2010 2:08 PM
To: zookeeper-user@hadoop.apache.org
Subject: Re: Digest user ACL check failing

Sounds like it might be a bug, was this just for the root or for any znode?
Please file a JIRA, thanks.

Patrick

On Tue, Oct 19, 2010 at 1:01 PM, Fournier, Camille F. [Tech] <
Camille.Fournier@gs.com> wrote:

> The ZK documentation says:
> New in 3.2: Enables a ZooKeeper ensemble administrator to access the znode
> hierarchy as a "super" user. In particular no ACL checking occurs for a user
> authenticated as super.
>
> However, in some testing today I created a digest user, logged in as this
> user, set the ACLs for "/" to Ids.READ_ACL_UNSAFE, and now even when I am
> logged in as the superuser, I cannot actually change this ACL or write nodes
> below it on the tree. So it does not actually seem to be the case that
> "super" skips ACL checks. Is this a bug or a feature?
>
> Thanks,
> Camille
>
>
>

Re: Digest user ACL check failing

Posted by Patrick Hunt <ph...@apache.org>.

Sounds like it might be a bug, was this just for the root or for any znode?
Please file a JIRA, thanks.

Patrick

On Tue, Oct 19, 2010 at 1:01 PM, Fournier, Camille F. [Tech] <
Camille.Fournier@gs.com> wrote:

> The ZK documentation says:
> New in 3.2: Enables a ZooKeeper ensemble administrator to access the znode
> hierarchy as a "super" user. In particular no ACL checking occurs for a user
> authenticated as super.
>
> However, in some testing today I created a digest user, logged in as this
> user, set the ACLs for "/" to Ids.READ_ACL_UNSAFE, and now even when I am
> logged in as the superuser, I cannot actually change this ACL or write nodes
> below it on the tree. So it does not actually seem to be the case that
> "super" skips ACL checks. Is this a bug or a feature?
>
> Thanks,
> Camille
>
>
>