You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Rakesh R <ra...@huawei.com> on 2012/06/04 14:48:10 UTC

RE: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd


Thank you Pat :)

________________________________________
From: Patrick Hunt [phunt@apache.org]
Sent: Wednesday, May 30, 2012 10:01 PM
To: user@zookeeper.apache.org
Subject: Re: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd

You can use setacl on root if you'd like to change permissions to be
more restrictive.

Patrick

On Fri, May 25, 2012 at 7:52 AM, Rakesh R <ra...@huawei.com> wrote:
> Hi Pat,
>
> Thanks for looking. Actually I'm using 3.4.3 release, and I have seen the similar checks for parsing the ACLs in this version also.
>
> I have created /app1 and /app2 using the following commands:
>
> create /app1 "" sasl:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM:cdrwa
> create /app2 "" sasl:hbase/host-10-18-40-40.hadoop.com@HADOOP.COM:cdrwa
>
> I just saw the following acl checks in the PrepRequestProcessor.java for delete command:
>
>                checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, request.authInfo);
>
> Here delete command is using 'parentRecord.acl' for Acl checks. In my case app1 and app2 is created directly under the '/'.
> If my understanding is correct, '/' has ZooDefs.Ids.ANYONE_ID_UNSAFE permission and when any user comes for deleting the children of '/', its just validating against 'world:anyone' of root and allowing to delete. I'm worrying about the authentication of the znodes under root node ? . I 'd like to know your opinion on this.
>
> Thanks,
> Rakesh
> ________________________________________
> From: Patrick Hunt [phunt@apache.org]
> Sent: Friday, May 25, 2012 5:48 AM
> To: user@zookeeper.apache.org
> Subject: Re: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd
>
> When you created the znodes did you specify acls or just take the
> defaults? (zkcli defaults are permissive), here's the create znode
> code:
>
>        List<ACL> acl = ZooDefs.Ids.OPEN_ACL_UNSAFE;
>        if (args.length > 3) {
>            acl = AclParser.parse(args[3]);
>        }
>
> Patrick
>
> On Tue, May 22, 2012 at 3:49 AM, Rakesh R <ra...@huawei.com> wrote:
>> Hi All,
>>
>> I'm trying to use the ZooKeeper sasl. Actually I'm a bit confused when using the delete command.
>>
>> Say, I have created two znodes:
>>
>>  'app1' directly under '/' with hbase/host-10-18-40-40.hadoop.com@HADOOP.COM<ma...@HADOOP.COM>
>>  'app2' directly under '/' with hbase/host-10-18-40-40.hadoop.com@HADOOP.COM<ma...@HADOOP.COM>
>>
>> Now, I have logged in as zkcli/host-10-18-40-40.hadoop.com@HADOOP.COM<ma...@HADOOP.COM> and this is not given as super user. When I tried to delete the znodes '/app1' and '/app2', it is allowing and not authenticating.
>>
>> Here, I'm thinking that 'zkcli' will not have the access to delete these two nodes.
>>
>> Is this a problem or anything I'm missing. Can you please help me to resolve this and how the security can be applied here.
>>
>>
>> Thanks,
>> Rakesh