Author: mahadev Date: Tue Oct 26 22:05:58 2010 New Revision: 1027758 URL: http://svn.apache.org/viewvc?rev=1027758&view=rev Log: ZOOKEEPER-904. super digest is not actually acting as a full superuser (Camille Fournier via mahadev)
Modified: hadoop/zookeeper/branches/branch-3.3/CHANGES.txt hadoop/zookeeper/branches/branch-3.3/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java hadoop/zookeeper/branches/branch-3.3/src/java/test/org/apache/zookeeper/test/AuthTest.java Modified: hadoop/zookeeper/branches/branch-3.3/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/zookeeper/branches/branch-3.3/CHANGES.txt?rev=1027758&r1=1027757&r2=1027758&view=diff ============================================================================== --- hadoop/zookeeper/branches/branch-3.3/CHANGES.txt (original) +++ hadoop/zookeeper/branches/branch-3.3/CHANGES.txt Tue Oct 26 22:05:58 2010 @@ -56,6 +56,9 @@ BUGFIXES: ZOOKEEPER-800. zoo_add_auth returns ZOK if zookeeper handle is in ZOO_CLOSED_STATE (Michi Mutsuzaki via mahadev konar) + ZOOKEEPER-904. super digest is not actually acting as a full superuser + (Camille Fournier via mahadev) + IMPROVEMENTS: ZOOKEEPER-789. Improve FLE log messages (flavio via phunt) Modified: hadoop/zookeeper/branches/branch-3.3/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java URL: http://svn.apache.org/viewvc/hadoop/zookeeper/branches/branch-3.3/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java?rev=1027758&r1=1027757&r2=1027758&view=diff ============================================================================== --- hadoop/zookeeper/branches/branch-3.3/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java (original) +++ hadoop/zookeeper/branches/branch-3.3/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java Tue Oct 26 22:05:58 2010 @@ -167,6 +167,11 @@ public class PrepRequestProcessor extend if (acl == null || acl.size() == 0) { return; } + for (Id authId : ids) { + if (authId.getScheme().equals("super")) { + return; + } + } for (ACL a : acl) { Id id = a.getId(); if ((a.getPerms() & perm) != 0) { @@ -177,10 +182,7 @@ public class PrepRequestProcessor extend AuthenticationProvider ap = ProviderRegistry.getProvider(id .getScheme()); if (ap != null) { - for (Id authId : ids) { - if (authId.getScheme().equals("super")) { - return; - } + for (Id authId : ids) { if (authId.getScheme().equals(id.getScheme()) && ap.matches(authId.getId(), id.getId())) { return; Modified: hadoop/zookeeper/branches/branch-3.3/src/java/test/org/apache/zookeeper/test/AuthTest.java URL: http://svn.apache.org/viewvc/hadoop/zookeeper/branches/branch-3.3/src/java/test/org/apache/zookeeper/test/AuthTest.java?rev=1027758&r1=1027757&r2=1027758&view=diff ============================================================================== --- hadoop/zookeeper/branches/branch-3.3/src/java/test/org/apache/zookeeper/test/AuthTest.java (original) +++ hadoop/zookeeper/branches/branch-3.3/src/java/test/org/apache/zookeeper/test/AuthTest.java Tue Oct 26 22:05:58 2010 @@ -122,4 +122,28 @@ public class AuthTest extends ClientBase zk.close(); } } + + @Test + public void testSuperACL() throws Exception { + ZooKeeper zk = createClient(); + try { + zk.addAuthInfo("digest", "pat:pass".getBytes()); + zk.create("/path1", null, Ids.CREATOR_ALL_ACL, + CreateMode.PERSISTENT); + zk.close(); + // verify super can do anything and ignores ACLs + zk = createClient(); + zk.addAuthInfo("digest", "super:test".getBytes()); + zk.getData("/path1", false, null); + + zk.setACL("/path1", Ids.READ_ACL_UNSAFE, -1); + + zk.create("/path1/foo", null, Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT); + + zk.setACL("/path1", Ids.OPEN_ACL_UNSAFE, -1); + + } finally { + zk.close(); + } + } } \ No newline at end of file