You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by vrindavda <vr...@gmail.com> on 2019/11/14 04:36:31 UTC

zk digest ACL permissions gets overridden

I am trying to add zk digest ACL on zookeeper-3.4.9.

I was able to add one user with /crdwa/ access.
The moment I add another user with read-only access- /r/. The first user
gets overridden with read-only access. Please see the output below :


WatchedEvent state:SyncConnected type:None path:null
[zk: localhost:2181(CONNECTED) 0]  addauth digest user1:password1
[zk: localhost:2181(CONNECTED) 1] setAcl /newznode
auth:user1:password1:crdwa
cZxid = 0xe
ctime = Thu Nov 07 13:29:43 IST 2019
mZxid = 0xe
mtime = Thu Nov 07 13:29:43 IST 2019
pZxid = 0xe
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 8
numChildren = 0
[zk: localhost:2181(CONNECTED) 2] getAcl /newznode
'digest,'user1:XDkd2dsEuhc9ImU3q8pa8UOdtpI=
: cdrwa
[zk: localhost:2181(CONNECTED) 3] addauth digest user2:password2
[zk: localhost:2181(CONNECTED) 4] setAcl /newznode auth:user2:password2:r
cZxid = 0xe
ctime = Thu Nov 07 13:29:43 IST 2019
mZxid = 0xe
mtime = Thu Nov 07 13:29:43 IST 2019
pZxid = 0xe
cversion = 0
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 8
numChildren = 0
zk: localhost:2181(CONNECTED) 5] getAcl /newznode
'digest,'user1:XDkd2dsEuhc9ImU3q8pa8UOdtpI=
: r
'digest,'user2:lo/iTtNMP+gEZlpUNaCqLYO3i5U=
: r


User1 and user2 are not readonly.

Am I doing something incorrect?






--
Sent from: http://zookeeper-user.578899.n2.nabble.com/

Re: zk digest ACL permissions gets overridden

Posted by vrindavda <vr...@gmail.com>.

We tried upgrading Zookeeper and got the same behavior.
Could this be a bug?



--
Sent from: http://zookeeper-user.578899.n2.nabble.com/

Re: zk digest ACL permissions gets overridden

Posted by vrindavda <vr...@gmail.com>.

Hi Jörn Franke,

Thank you for your response.
If setAcl for both the users at the same time. I get both users duplicated,
one with readonly and another with cdrwa permissions, as below:



[zk: localhost:2181(CONNECTED) 1] getAcl /zk_test
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 2]  addauth digest user1:password1
[zk: localhost:2181(CONNECTED) 3] addauth digest user2:password2
[zk: localhost:2181(CONNECTED) 4] setAcl /newznode
auth:user2:password2:r,auth:user1:password1:cdrwa 
Node does not exist: /newznode
[zk: localhost:2181(CONNECTED) 5] setAcl /zk_test
auth:user2:password2:r,auth:user1:password1:cdrwa  
cZxid = 0x2
ctime = Wed Nov 13 20:14:08 IST 2019
mZxid = 0x2
mtime = Wed Nov 13 20:14:08 IST 2019
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 7
numChildren = 0
[zk: localhost:2181(CONNECTED) 6] getAcl                                                            
[zk: localhost:2181(CONNECTED) 7] getAcl /zk_test
'digest,'user1:XDkd2dsEuhc9ImU3q8pa8UOdtpI=
: r
'digest,'user2:lo/iTtNMP+gEZlpUNaCqLYO3i5U=
: r
'digest,'user1:XDkd2dsEuhc9ImU3q8pa8UOdtpI=
: cdrwa
'digest,'user2:lo/iTtNMP+gEZlpUNaCqLYO3i5U=
: cdrwa
[zk: localhost:2181(CONNECTED) 8] 




--
Sent from: http://zookeeper-user.578899.n2.nabble.com/

Re: zk digest ACL permissions gets overridden

Posted by Jörn Franke <jo...@gmail.com>.

I think, but I am not sure, you have to mention both users in the setAcl at the same time, so they get different permissions.

Try also to update ZK.

Please also check if you can use the other authorization mechanisms, eg SASL or x509. I think they are more suitable for Enterprise scenarios.

> Am 14.11.2019 um 05:42 schrieb vrindavda <vr...@gmail.com>:
> 
> I am trying to add zk digest ACL on zookeeper-3.4.9.
> 
> I was able to add one user with /crdwa/ access.
> The moment I add another user with read-only access- /r/. The first user
> gets overridden with read-only access. Please see the output below :
> 
> 
> WatchedEvent state:SyncConnected type:None path:null
> [zk: localhost:2181(CONNECTED) 0]  addauth digest user1:password1
> [zk: localhost:2181(CONNECTED) 1] setAcl /newznode
> auth:user1:password1:crdwa
> cZxid = 0xe
> ctime = Thu Nov 07 13:29:43 IST 2019
> mZxid = 0xe
> mtime = Thu Nov 07 13:29:43 IST 2019
> pZxid = 0xe
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 8
> numChildren = 0
> [zk: localhost:2181(CONNECTED) 2] getAcl /newznode
> 'digest,'user1:XDkd2dsEuhc9ImU3q8pa8UOdtpI=
> : cdrwa
> [zk: localhost:2181(CONNECTED) 3] addauth digest user2:password2
> [zk: localhost:2181(CONNECTED) 4] setAcl /newznode auth:user2:password2:r
> cZxid = 0xe
> ctime = Thu Nov 07 13:29:43 IST 2019
> mZxid = 0xe
> mtime = Thu Nov 07 13:29:43 IST 2019
> pZxid = 0xe
> cversion = 0
> dataVersion = 0
> aclVersion = 2
> ephemeralOwner = 0x0
> dataLength = 8
> numChildren = 0
> zk: localhost:2181(CONNECTED) 5] getAcl /newznode
> 'digest,'user1:XDkd2dsEuhc9ImU3q8pa8UOdtpI=
> : r
> 'digest,'user2:lo/iTtNMP+gEZlpUNaCqLYO3i5U=
> : r
> 
> 
> User1 and user2 are not readonly.
> 
> Am I doing something incorrect?
> 
> 
> 
> 
> 
> 
> --
> Sent from: http://zookeeper-user.578899.n2.nabble.com/