[
https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15563598#comment-15563598
]
Michael Han commented on ZOOKEEPER-2014:
----------------------------------------
[~fpj] It's a bug, thanks for pointing it out! When we do reconfigure through
command line, the {{addauth}} command will set the auth packet for the
connection associated with the {{ZooKeeper}} object of the {{CliCommand}}. The
reconfig command however is going to be executed by the {{ZooKeeperAdmin}}
object of the {{CliCommand}}, and because addauth currently does not associate
the auth packet to the underlying connection managed by {{ZooKeeperAdmin}},
when reconfig request hits server it will miss auth info, thus yield auth
failure. The fix is to teach {{AddAuthCommand}} to set auth packet for
{{ZooKeeperAdmin}} as well.
As we previously discussed in review board, an alternative is to have a single
ZooKeeper object (since ZooKeeperAdmin is also a ZooKeeper) maintained in
{{CliCommand}} so every command / request will converge to a single path. I did
not do that for stability purposes - with a separate ZooKeeperAdmin object all
existing commands (except reconfig) should not be impacted at all. I might be
over cautious on this one though and maintaining a single ZK object inside
CliCommand might be a better solution overall. Please let me know if you prefer
one over the other.
Attaching updated patch (with one line change) that fixes the issue. Verified
with zkCli.sh / reconfig command on a local 3 server cluster.
> Only admin should be allowed to reconfig a cluster
> --------------------------------------------------
>
> Key: ZOOKEEPER-2014
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.5.0
> Reporter: Raul Gutierrez Segales
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.5.3
>
> Attachments: ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch,
> ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch,
> ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch
>
>
> ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We
> should, at the very least, ensure that only the Admin can reconfigure a
> cluster. Perhaps restricting access to /zookeeper/config as well, though this
> is debatable. Surely one could ensure Admin only access via an ACL, but that
> would leave everyone who doesn't use ACLs unprotected. We could also force a
> default ACL to make it a bit more consistent (maybe).
> Finally, making reconfig() only available to Admins means they have to run
> with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure
> if everyone does, or how would it work with other authentication providers).
> Review board https://reviews.apache.org/r/51546/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
