You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "joe smith (JIRA)" <ji...@apache.org> on 2017/05/02 21:20:04 UTC
[jira] [Created] (ZOOKEEPER-2772) Delete node command does not
honor Acl policy
joe smith created ZOOKEEPER-2772:
------------------------------------
Summary: Delete node command does not honor Acl policy
Key: ZOOKEEPER-2772
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2772
Project: ZooKeeper
Issue Type: Bug
Components: security
Affects Versions: 3.4.10, 3.4.8
Reporter: joe smith
I set the acl to not be able to delete a node - but was able to delete regardless.
I am not familiar with the code, but a reply from Martin in the user@ mailing list seems to confirm the issue. I will paste his response below - sorry for the long listing.
Martin's reply are inline prefixed with: MG>
----------
From: joe smith <wa...@yahoo.com.INVALID>
Sent: Tuesday, May 2, 2017 8:40 AM
To: user@zookeeper.apache.org
Subject: Acl block detete not working
Hi,
I'm using 3.4.10 and setting custom aol to block deletion of a znode. However, I'm able to delete the node even after I've set acl from cdrwa to cra.
Can anyone point out if I missed some step.
Thanks for the help
Here is the trace:
[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper]
[zk: localhost:2181(CONNECTED) 1] create /test "data"
Created /test
[zk: localhost:2181(CONNECTED) 2] ls /
[zookeeper, test]
[zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
[zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra
cZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object
List<ACL> acl = AclParser.parse(aclStr);
int version;
if (cl.hasOption("v")) {
version = Integer.parseInt(cl.getOptionValue("v"));
} else {
version = -1;
}
try {
Stat stat = zk.setACL(path, acl, version);
MG>later on in DeleteCommand there is no check for aforementioned acl parameter
public boolean exec() throws KeeperException, InterruptedException {
String path = args[1];
int version;
if (cl.hasOption("v")) {
version = Integer.parseInt(cl.getOptionValue("v"));
} else {
version = -1;
}
try {
zk.delete(path, version);
} catch(KeeperException.BadVersionException ex) {
err.println(ex.getMessage());
}
return false;
MG>as seen here the testCase works properly saving the Zookeeper object
LsCommand entity = new LsCommand();
entity.setZk(zk);
MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs
MG>can you report this bug to Zookeeper?
https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel>
issues.apache.org
Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7
MG>Thanks Joe!
[zk: localhost:2181(CONNECTED) 5] getAcl /test
'myfqdn,'localhost
: cra
[zk: localhost:2181(CONNECTED) 6] get /testdata
cZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: localhost:2181(CONNECTED) 7] set /test "testwrite"
Authentication is not valid : /test
[zk: localhost:2181(CONNECTED) 8] delete /test
[zk: localhost:2181(CONNECTED) 9] ls /
[zookeeper]
[zk: localhost:2181(CONNECTED) 10]
The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)