[ https://issues.apache.org/jira/browse/ZOOKEEPER-2590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Edward Ribeiro reassigned ZOOKEEPER-2590: ----------------------------------------- Assignee: Edward Ribeiro > setACL doesn't affect exists() operation > ---------------------------------------- > > Key: ZOOKEEPER-2590 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2590 > Project: ZooKeeper > Issue Type: Bug > Reporter: Edward Ribeiro > Assignee: Edward Ribeiro > Labels: acl, security > > As hinted > [here|https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java#L298], > even if a parent znode path has restricted READ access it's possible to > issue an exists() operation on any child znode of that given path. > For example, the snippet below doesn't throw {{NoAuthExceptio}}, even tough > it removes ACL rights to "/": > {code} > zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); > ArrayList<ACL> acls = new ArrayList<>(); > acls.add(new ACL(0, Ids.ANYONE_ID_UNSAFE)); > zk.setACL("/", acls, -1); > Stat r = zk.exists("/a", false); > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)