[
https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15198757#comment-15198757
]
Alexander Shraer commented on ZOOKEEPER-2014:
---------------------------------------------
[~rgs], does your patch solve the issue ? if not, what is still missing ? If I
remember correctly my concern was that I'd like getConfig to be available to
regular clients, not only admin, so they can react to configuration changes.
If this JIRA is what's blocking 3.5 perhaps we could reconsider the approach
and go with something
simpler to start with, such as relying on ACLs. Or setting default ACLs for the
config znode and requiring
client admins to have these permissions.
> Only admin should be allowed to reconfig a cluster
> --------------------------------------------------
>
> Key: ZOOKEEPER-2014
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.5.0
> Reporter: Raul Gutierrez Segales
> Assignee: Raul Gutierrez Segales
> Priority: Blocker
> Fix For: 3.5.2
>
> Attachments: ZOOKEEPER-2014.patch
>
>
> ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We
> should, at the very least, ensure that only the Admin can reconfigure a
> cluster. Perhaps restricting access to /zookeeper/config as well, though this
> is debatable. Surely one could ensure Admin only access via an ACL, but that
> would leave everyone who doesn't use ACLs unprotected. We could also force a
> default ACL to make it a bit more consistent (maybe).
> Finally, making reconfig() only available to Admins means they have to run
> with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure
> if everyone does, or how would it work with other authentication providers).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
