You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/05/13 05:50:04 UTC

[jira] [Commented] (ZOOKEEPER-2772) Delete node command does not honor Acl policy

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009151#comment-16009151 ] 

ASF GitHub Bot commented on ZOOKEEPER-2772:
-------------------------------------------

GitHub user eribeiro opened a pull request:

    https://github.com/apache/zookeeper/pull/252

    ZOOKEEPER-2772: Delete node command does not honor Acl policy

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/eribeiro/zookeeper ZOOKEEPER-2772

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/252.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #252
    
----
commit ce40dc7e12493817a26a8e45125ecc61d4ac0e80
Author: Edward Ribeiro <ed...@gmail.com>
Date:   2017-05-13T05:36:51Z

    ZOOKEEPER-2772: Delete node command does not honor Acl policy

----


> Delete node command does not honor Acl policy
> ---------------------------------------------
>
>                 Key: ZOOKEEPER-2772
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2772
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.4.8, 3.4.10
>            Reporter: joe smith
>
> I set the acl to not be able to delete a node - but was able to delete regardless.
> I am not familiar with the code, but a reply from Martin in the user@ mailing list seems to confirm the issue.  I will paste his response below - sorry for the long listing.
> Martin's reply are inline prefixed with: MG>
> ----------
> From: joe smith <wa...@yahoo.com.INVALID>
> Sent: Tuesday, May 2, 2017 8:40 AM
> To: user@zookeeper.apache.org
> Subject: Acl block detete not working
> Hi,
> I'm using 3.4.10 and setting custom aol to block deletion of a znode.  However, I'm able to delete the node even after I've set acl from cdrwa to cra.
> Can anyone point out if I missed some step.
> Thanks for the help
> Here is the trace:
> [zk: localhost:2181(CONNECTED) 0] ls /
> [zookeeper]
> [zk: localhost:2181(CONNECTED) 1] create /test "data"
> Created /test
> [zk: localhost:2181(CONNECTED) 2] ls /
> [zookeeper, test]
> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
> MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object
>     List<ACL> acl = AclParser.parse(aclStr);
>         int version;
>         if (cl.hasOption("v")) {
>             version = Integer.parseInt(cl.getOptionValue("v"));
>         } else {
>             version = -1;
>         }
>         try {
>             Stat stat = zk.setACL(path, acl, version);
> MG>later on in DeleteCommand there is no check for aforementioned acl parameter
>   public boolean exec() throws KeeperException, InterruptedException {
>         String path = args[1];
>         int version;
>         if (cl.hasOption("v")) {
>             version = Integer.parseInt(cl.getOptionValue("v"));
>         } else {
>             version = -1;
>         }
>         try {
>         zk.delete(path, version);
>         } catch(KeeperException.BadVersionException ex) {
>             err.println(ex.getMessage());
>         }
>         return false;
> MG>as seen here the testCase works properly saving the Zookeeper object
>     LsCommand entity = new LsCommand();
>         entity.setZk(zk);
> MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs
> MG>can you report this bug to Zookeeper?
> https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
> ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel>
> issues.apache.org
> Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7
> MG>Thanks Joe!
> [zk: localhost:2181(CONNECTED) 5] getAcl /test
> 'myfqdn,'localhost
> : cra
> [zk: localhost:2181(CONNECTED) 6] get /testdata
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"
> Authentication is not valid : /test
> [zk: localhost:2181(CONNECTED) 8] delete /test
> [zk: localhost:2181(CONNECTED) 9] ls /
> [zookeeper]
> [zk: localhost:2181(CONNECTED) 10]
> The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)