Edward Ribeiro resolved ZOOKEEPER-2591.
    Resolution: Not A Bug

{{OpCode.deleteContainer}} is asynchronously deleted by 
{{ContainerManager.checkContainers()}} and it doesn't need to check the ACL 
because it performs a garbage collection if the znode is empty. Therefore, a 
client delete operation is issued as a {{OpsCode.delete}} and handled as usual, 
including the ACL checking. The first example posted on this issue was also 
wrong in that delete does check the ACL rights of the parent nor the child.

> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>                 Key: ZOOKEEPER-2591
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>            Reporter: Edward Ribeiro
>            Assignee: Edward Ribeiro
> Container nodes check the ACL before creation, but the deletion doesn't check 
>  the ACL rights. The code below succeeds even tough we removed ACL access 
> permissions for "/a".
> {code}
>         zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
>         ArrayList<ACL> list = new ArrayList<>();
>         list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
>         zk.setACL("/", list, -1);
>         zk.delete("/a", -1);
> {code}

This message was sent by Atlassian JIRA

Reply via email to