You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Jordan Zimmerman (JIRA)" <ji...@apache.org> on 2017/06/29 14:18:00 UTC
[jira] [Comment Edited] (ZOOKEEPER-2591) The deletion of Container
znode doesn't check ACL delete permission
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068397#comment-16068397 ]
Jordan Zimmerman edited comment on ZOOKEEPER-2591 at 6/29/17 2:17 PM:
----------------------------------------------------------------------
[~Bhupendra] If DeleteContainer had a client API then ACL would make sense. But, the automatic version has no client associated with the operation and therefore there is no ACL/Auth to apply.
Note: you _can_ delete containers from the client via normal delete() command and the ACL is respected.
was (Author: randgalt):
If DeleteContainer had a client [~Bhupendra] API then ACL would make sense. But, the automatic version has no client associated with the operation and therefore there is no ACL/Auth to apply.
> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>
> Key: ZOOKEEPER-2591
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Reporter: Edward Ribeiro
> Assignee: Edward Ribeiro
>
> Container nodes check the ACL before creation, but the deletion doesn't check the ACL rights. The code below succeeds even tough we removed ACL access permissions for "/a".
> {code}
> zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
> ArrayList<ACL> list = new ArrayList<>();
> list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
> zk.setACL("/", list, -1);
> zk.delete("/a", -1);
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)