[jira] [Commented] (SLIDER-931) Security permissions on set up ZK path are too lax

Gour Saha (JIRA) Thu, 03 Sep 2015 13:19:35 -0700

    [ 
https://issues.apache.org/jira/browse/SLIDER-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14729703#comment-14729703
 ]


Gour Saha commented on SLIDER-931:
----------------------------------

[[email protected]] the following test is failing after this patch. Can you 
please take a look?

{color:red}
{code}
Regression

org.apache.slider.common.tools.TestZKIntegration.testCreateAndDeleteDefaultZKPath

Failing for the past 1 build (Since Failed#217 )
Took 0.43 sec.
Error Message

assert path == zkPath
       |       |
       null    /services/slider/users/bigdataborat/cl1
Stacktrace

org.codehaus.groovy.runtime.powerassert.PowerAssertionError: assert path == 
zkPath
       |       |
       null    /services/slider/users/bigdataborat/cl1
        at 
org.codehaus.groovy.runtime.InvokerHelper.assertFailed(InvokerHelper.java:398)
        at 
org.codehaus.groovy.runtime.ScriptBytecodeAdapter.assertFailed(ScriptBytecodeAdapter.java:646)
        at 
org.apache.slider.common.tools.TestZKIntegration.testCreateAndDeleteDefaultZKPath(TestZKIntegration.groovy:124)
Standard Output

2015-09-03 12:52:50,368 [Thread-3] INFO  services.MicroZookeeperService 
(MicroZookeeperService.java:serviceStart(235)) - Starting Local Zookeeper 
service
2015-09-03 12:52:50,371 [Thread-3] INFO  services.MicroZookeeperService 
(MicroZookeeperService.java:serviceStart(241)) - In memory ZK started at 
127.0.0.1:65114

2015-09-03 12:52:50,373 [Thread-3] INFO  test.MicroZKCluster 
(MicroZKCluster.groovy:createCluster(53)) - Created Micro ZK cluster as 
127.0.0.1:65114
2015-09-03 12:52:50,373 [Thread-3] INFO  imps.CuratorFrameworkImpl 
(CuratorFrameworkImpl.java:start(223)) - Starting
2015-09-03 12:52:50,405 [Thread-3-EventThread] INFO  
state.ConnectionStateManager (ConnectionStateManager.java:postState(194)) - 
State change: CONNECTED
2015-09-03 12:52:50,405 [ConnectionStateManager-0] WARN  
state.ConnectionStateManager (ConnectionStateManager.java:processEvents(212)) - 
There are no ConnectionStateListeners registered.
2015-09-03 12:52:50,457 [Thread-3] DEBUG zk.ZKIntegration 
(ZKIntegration.java:init(96)) - Binding ZK client to 127.0.0.1:65114
2015-09-03 12:52:50,458 [Thread-3] INFO  zk.BlockingZKWatcher 
(BlockingZKWatcher.java:waitForZKConnection(57)) - waiting for ZK event
2015-09-03 12:52:50,480 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:process(178)) - WatchedEvent state:SyncConnected type:None 
path:null
2015-09-03 12:52:50,480 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:maybeInit(191)) - initing
2015-09-03 12:52:50,480 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path /services
2015-09-03 12:52:50,494 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path /services/slider
2015-09-03 12:52:50,521 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path /services/slider/users
2015-09-03 12:52:50,545 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path 
/services/slider/users/bigdataborat
2015-09-03 12:52:50,561 [Thread-3-EventThread] INFO  zk.BlockingZKWatcher 
(BlockingZKWatcher.java:process(37)) - ZK binding callback received
2015-09-03 12:52:50,561 [Thread-3] INFO  test.YarnZKMiniClusterTestBase 
(YarnZKMiniClusterTestBase.groovy:createZKIntegrationInstance(67)) - Connected: 
ZK integration bound @  127.0.0.1:65114: State:CONNECTED Timeout:6000 
sessionid:0x14f94c4cfc10001 local:/127.0.0.1:65120 
remoteserver:127.0.0.1/127.0.0.1:65114 lastZxid:6 xid:5 sent:5 recv:5 
queuedpkts:0 pendingresp:0 queuedevents:0
2015-09-03 12:52:50,571 [Thread-3] DEBUG zk.ZKIntegration 
(ZKIntegration.java:init(96)) - Binding ZK client to 127.0.0.1:65114
2015-09-03 12:52:50,573 [Thread-3] INFO  zk.BlockingZKWatcher 
(BlockingZKWatcher.java:waitForZKConnection(57)) - waiting for ZK event
2015-09-03 12:52:50,597 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:process(178)) - WatchedEvent state:SyncConnected type:None 
path:null
2015-09-03 12:52:50,597 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:maybeInit(191)) - initing
2015-09-03 12:52:50,597 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path /services
2015-09-03 12:52:50,619 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(226)) - node already present:/services
2015-09-03 12:52:50,619 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path /services/slider
2015-09-03 12:52:50,639 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(226)) - node already present:/services/slider
2015-09-03 12:52:50,639 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path /services/slider/users
2015-09-03 12:52:50,652 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(226)) - node already 
present:/services/slider/users
2015-09-03 12:52:50,652 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path 
/services/slider/users/bigdataborat
2015-09-03 12:52:50,680 [Thread-3-EventThread] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(226)) - node already 
present:/services/slider/users/bigdataborat
2015-09-03 12:52:50,680 [Thread-3-EventThread] INFO  zk.BlockingZKWatcher 
(BlockingZKWatcher.java:process(37)) - ZK binding callback received
2015-09-03 12:52:50,680 [Thread-3] INFO  test.YarnZKMiniClusterTestBase 
(YarnZKMiniClusterTestBase.groovy:createZKIntegrationInstance(67)) - Connected: 
ZK integration bound @  127.0.0.1:65114: State:CONNECTED Timeout:6000 
sessionid:0x14f94c4cfc10002 local:/127.0.0.1:65123 
remoteserver:127.0.0.1/127.0.0.1:65114 lastZxid:11 xid:5 sent:5 recv:5 
queuedpkts:0 pendingresp:0 queuedevents:0
2015-09-03 12:52:50,681 [Thread-3] DEBUG zk.ZKIntegration 
(ZKIntegration.java:createPath(222)) - Creating ZK path 
/services/slider/users/bigdataborat/cl1
2015-09-03 12:52:50,704 [Thread-3] WARN  client.SliderClient 
(SliderClient.java:createZookeeperNode(505)) - Unable to create default zk node 
/services/slider/users/bigdataborat/cl1
org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = 
InvalidACL for /services/slider/users/bigdataborat/cl1
        at org.apache.zookeeper.KeeperException.create(KeeperException.java:121)
        at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
        at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
        at 
org.apache.slider.core.zk.ZKIntegration.createPath(ZKIntegration.java:223)
        at 
org.apache.slider.client.SliderClient.createZookeeperNode(SliderClient.java:498)
        at 
org.apache.slider.common.tools.TestZKIntegration.testCreateAndDeleteDefaultZKPath(TestZKIntegration.groovy:120)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:601)
        at 
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
        at 
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at 
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
        at 
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at 
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at 
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at 
org.junit.internal.runners.statements.FailOnTimeout$StatementThread.run(FailOnTimeout.java:74)
2015-09-03 12:52:50,737 [Thread-3] INFO  test.SliderTestUtils 
(SliderTestUtils.groovy:describe(75)) - 
2015-09-03 12:52:50,738 [Thread-3] INFO  test.SliderTestUtils 
(SliderTestUtils.groovy:describe(76)) - ===============================
2015-09-03 12:52:50,738 [Thread-3] INFO  test.SliderTestUtils 
(SliderTestUtils.groovy:describe(77)) - teardown
2015-09-03 12:52:50,738 [Thread-3] INFO  test.SliderTestUtils 
(SliderTestUtils.groovy:describe(78)) - ===============================
2015-09-03 12:52:50,738 [Thread-3] INFO  test.SliderTestUtils 
(SliderTestUtils.groovy:describe(79)) - 
2015-09-03 12:52:50,753 [Thread-3] WARN  fs.FileUtil 
(FileUtil.java:deleteImpl(187)) - Failed to delete file or dir 
[D:\w\slider\slider-core\target\zk\testCreateAndDeleteDefaultZKPath\data\version-2\log.1]:
 it still exists.
{code}
{color}

> Security permissions on set up ZK path are too lax
> --------------------------------------------------
>
>                 Key: SLIDER-931
>                 URL: https://issues.apache.org/jira/browse/SLIDER-931
>             Project: Slider
>          Issue Type: Bug
>          Components: client
>    Affects Versions: Slider 0.80
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>             Fix For: Slider 0.81
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> Slider creates a unique ZK path for each app launch, deleting it on teardown
> HBase security tests are throwing up that the path is being created world 
> writeable, rather than world-read. Being world write means its possible for 
> malicious code to replace the path with a different one. 
> This is only a risk on a secure cluster; ZK's security model on insecure 
> clusters is only a hint that can be bypassed



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (SLIDER-931) Security permissions on set up ZK path are too lax

Reply via email to