You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/05/13 05:50:04 UTC
[jira] [Commented] (ZOOKEEPER-2772) Delete node command does not
honor Acl policy
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009151#comment-16009151 ]
ASF GitHub Bot commented on ZOOKEEPER-2772:
-------------------------------------------
GitHub user eribeiro opened a pull request:
https://github.com/apache/zookeeper/pull/252
ZOOKEEPER-2772: Delete node command does not honor Acl policy
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/eribeiro/zookeeper ZOOKEEPER-2772
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/252.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #252
----
commit ce40dc7e12493817a26a8e45125ecc61d4ac0e80
Author: Edward Ribeiro <ed...@gmail.com>
Date: 2017-05-13T05:36:51Z
ZOOKEEPER-2772: Delete node command does not honor Acl policy
----
> Delete node command does not honor Acl policy
> ---------------------------------------------
>
> Key: ZOOKEEPER-2772
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2772
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.4.8, 3.4.10
> Reporter: joe smith
>
> I set the acl to not be able to delete a node - but was able to delete regardless.
> I am not familiar with the code, but a reply from Martin in the user@ mailing list seems to confirm the issue. I will paste his response below - sorry for the long listing.
> Martin's reply are inline prefixed with: MG>
> ----------
> From: joe smith <wa...@yahoo.com.INVALID>
> Sent: Tuesday, May 2, 2017 8:40 AM
> To: user@zookeeper.apache.org
> Subject: Acl block detete not working
> Hi,
> I'm using 3.4.10 and setting custom aol to block deletion of a znode. However, I'm able to delete the node even after I've set acl from cdrwa to cra.
> Can anyone point out if I missed some step.
> Thanks for the help
> Here is the trace:
> [zk: localhost:2181(CONNECTED) 0] ls /
> [zookeeper]
> [zk: localhost:2181(CONNECTED) 1] create /test "data"
> Created /test
> [zk: localhost:2181(CONNECTED) 2] ls /
> [zookeeper, test]
> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
> MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object
> List<ACL> acl = AclParser.parse(aclStr);
> int version;
> if (cl.hasOption("v")) {
> version = Integer.parseInt(cl.getOptionValue("v"));
> } else {
> version = -1;
> }
> try {
> Stat stat = zk.setACL(path, acl, version);
> MG>later on in DeleteCommand there is no check for aforementioned acl parameter
> public boolean exec() throws KeeperException, InterruptedException {
> String path = args[1];
> int version;
> if (cl.hasOption("v")) {
> version = Integer.parseInt(cl.getOptionValue("v"));
> } else {
> version = -1;
> }
> try {
> zk.delete(path, version);
> } catch(KeeperException.BadVersionException ex) {
> err.println(ex.getMessage());
> }
> return false;
> MG>as seen here the testCase works properly saving the Zookeeper object
> LsCommand entity = new LsCommand();
> entity.setZk(zk);
> MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs
> MG>can you report this bug to Zookeeper?
> https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
> ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel>
> issues.apache.org
> Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7
> MG>Thanks Joe!
> [zk: localhost:2181(CONNECTED) 5] getAcl /test
> 'myfqdn,'localhost
> : cra
> [zk: localhost:2181(CONNECTED) 6] get /testdata
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"
> Authentication is not valid : /test
> [zk: localhost:2181(CONNECTED) 8] delete /test
> [zk: localhost:2181(CONNECTED) 9] ls /
> [zookeeper]
> [zk: localhost:2181(CONNECTED) 10]
> The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)