[jira] [Commented] (ZOOKEEPER-1885) Znodes deletable by anyone without having the rights to do so

Thu, 20 Feb 2014 09:49:28 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13907234#comment-13907234
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-1885:
---------------------------------------------------

Two things, first in:

{noformat}
[zk: localhost:2181(CONNECTED) 60] create /anode "somecontent" 
digest:'user:IAEttLCxci/qWhKN2QJ6u1nrQgw=':cdrwa
{noformat}

the extra single quotes shouldn't be there, zkCli won't parse them correctly. 
So you just want:

{noformat}
[zk: localhost:2181(CONNECTED) 60] create /anode "somecontent" 
digest:user:IAEttLCxci/qWhKN2QJ6u1nrQgw=:cdrwa
{noformat}

Second, the permissions in the ACL affect everything *under* /anode as well, 
not /anode alone. Because znodes can also hold other znodes (i.e.: act like 
"directories") the ACLs are a reference to what can be done with the children 
too. So, if you want to forbid anyone from deleting /anode you'd have to set 
the proper ACLs in /. 

Makes sense?


> Znodes deletable by anyone without having the rights to do so
> -------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1885
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1885
>             Project: ZooKeeper
>          Issue Type: Bug
>    Affects Versions: 3.4.5
>         Environment: Ubuntu 12.04 LTS 64-bit
>            Reporter: Behar Veliqi
>
> Hi,
> I'm not really sure if this is bug or a misunderstanding on my part, but when 
> I have the problem that, when a I create a znode with an ACL as follows:
> [zk: localhost:2181(CONNECTED) 60] create /anode "somecontent" 
> digest:'user:IAEttLCxci/qWhKN2QJ6u1nrQgw=':cdrwa
> Created /anode
> [zk: localhost:2181(CONNECTED) 61] getAcl /anode                              
>                                  
> 'digest,''user:IAEttLCxci/qWhKN2QJ6u1nrQgw='
> : cdrwa
> I am not able to read or update the content of the node, as it should be.
> [zk: localhost:2181(CONNECTED) 62] get /anode
> Authentication is not valid : /anode
> [zk: localhost:2181(CONNECTED) 63] set /anode "update"                        
>                                  
> Authentication is not valid : /anode
> But everyone without being authenticated can delete the node:
> [zk: localhost:2181(CONNECTED) 64] delete /anode                              
>                                  
> [zk: localhost:2181(CONNECTED) 65] get /anode         
> Node does not exist: /anode
> Is this a bug or is there a way to set the ACL so that only the user having 
> the credentials can delete the znode somehow?



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to