RE: ACL question w/ Zookeeper 3.1.1

[Todd Greenwood]

 = false
eventOfDeath = {java.lang.obj...@1392}
lastZxid = 1
xid = 3
response = {org.apache.zookeeper.proto.createrespo...@1365}\n
r = {org.apache.zookeeper.proto.replyhea...@1445}0,0,-112\n
request =
{org.apache.zookeeper.proto.createrequ...@1360}'/ACLTest,,v{s{31,s{'aut
h,'}}},0\n
path = {java.lang.str...@1314}/ACLTest
data = {byte...@1339}
acl = {java.util.arrayl...@1242} size = 1
flags = 0
path = {java.lang.str...@1314}/ACLTest
h = {org.apache.zookeeper.proto.requesthea...@1352}2,1\n
cnxn = {org.apache.zookeeper.clientc...@1381}sessionId:
0x123de5b3b1b\nlastZxid: 1\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n


--
v5

NOTE: If I use Ids.OPEN_ACL_UNSAFE, then everything works fine. Here's
an example of the debug state after a create()...
--

this = {org.apache.zookeeper.zookee...@1266}
watchManager = {org.apache.zookeeper.zookeeper$zkwatchmana...@1397}
state = {org.apache.zookeeper.zookeeper$sta...@1398}CONNECTED
cnxn = {org.apache.zookeeper.clientc...@1374}sessionId:
0x123de6ba8de\nlastZxid: 2\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n
serverAddrs = {java.util.arrayl...@1403} size = 1
authInfo = {java.util.arrayl...@1404} size = 1
[0] = {org.apache.zookeeper.clientcnxn$authd...@1415}
scheme = {java.lang.str...@1244}digest
data = {byte[...@1416}
pendingQueue = {java.util.linkedl...@1405} size = 0
outgoingQueue = {java.util.linkedl...@1406} size = 0
nextAddrToTry = 0
connectTimeout = 4
readTimeout = 2
sessionTimeout = 5
zooKeeper = {org.apache.zookeeper.zookee...@1266}
watcher = {org.apache.zookeeper.zookeeper$zkwatchmana...@1397}
sessionId = 82153772198789120
sessionPasswd = {byte[...@1407}
sendThread =
{org.apache.zookeeper.clientcnxn$sendthr...@1259}Thread[main-SendThread
,5,main]
eventThread =
{org.apache.zookeeper.clientcnxn$eventthr...@1265}Thread[main-EventThre
ad,5,main]
selector = {sun.nio.ch.epollselectori...@1408}
closing = false
eventOfDeath = {java.lang.obj...@1409}
lastZxid = 2
xid = 3
response = {org.apache.zookeeper.proto.createrespo...@1360}'/ACLTest\n
r = {org.apache.zookeeper.proto.replyhea...@1389}2,2,0\n
xid = 2
zxid = 2
err = 0
request =
{org.apache.zookeeper.proto.createrequ...@1355}'/ACLTest,,v{s{15,s{'wor
ld,'anyone}}},0\n
path = {java.lang.str...@1314}/ACLTest
h = {org.apache.zookeeper.proto.requesthea...@1347}2,1\n
cnxn = {org.apache.zookeeper.clientc...@1374}sessionId:
0x123de6ba8de\nlastZxid: 2\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n

 -Original Message-
 From: Todd Greenwood [mailto:to...@audiencescience.com]
 Sent: Friday, September 18, 2009 11:27 AM
 To: Patrick Hunt; zookeeper-...@hadoop.apache.org; zookeeper-
 u...@hadoop.apache.org
 Subject: RE: ACL question w/ Zookeeper 3.1.1
 
 Patrick / Mahadev,
 
 Thanks for the heads-up!
 
 Apparently I *am* receiving email from zookeeper-user but it is being
 filtered out as spam. This just started happening, but I'll rectify on
 my end.
 
 I'm working thru Mahadev's response and will respond shortly (and
search
 for other postings, as well). Appologies for the cross post.
 
 -Todd
 
  -Original Message-
  From: Patrick Hunt [mailto:ph...@apache.org]
  Sent: Friday, September 18, 2009 11:19 AM
  To: zookeeper-...@hadoop.apache.org;
zookeeper-user@hadoop.apache.org
  Cc: Todd Greenwood
  Subject: Re: ACL question w/ Zookeeper 3.1.1
 
  Todd, there were other responses as well. Are you seeing other
traffic
  from the lists? (perhaps a spam filtering issue?)
 
  Patrick
 
  Mahadev Konar wrote:
   HI todd,
 We did respond on zookeeper-user. Here is my response in case
you
  didn't
   see it...
  
  
   HI todd,
From what I understand, you are sayin that a creator_all_acl does
 not
  work
   with auth?
  
I tried the following with CREATOR_ALL_ACL and it seemed to work
 for
  me...
  
   import org.apache.zookeeper.CreateMode;
   import org.apache.zookeeper.WatchedEvent;
   import org.apache.zookeeper.Watcher;
   import org.apache.zookeeper.ZooKeeper;
   import org.apache.zookeeper.data.ACL;
   import org.apache.zookeeper.ZooDefs.Ids;
   import java.util.ArrayList;
   import java.util.List;
  
   public class TestACl implements Watcher {
  
   public static void main(String[] argv) throws Exception {
   ListACL acls = new ArrayListACL(1);
   String authentication_type = digest;
   String authentication = mahadev:some;
  
   for (ACL ids_acl : Ids.CREATOR_ALL_ACL) {
   acls.add(ids_acl);
   }
   TestACl tacl = new TestACl();
   ZooKeeper zoo = new ZooKeeper(localhost:2181, 3000,
tacl);
   zoo.addAuthInfo(authentication_type,
 authentication.getBytes());
   zoo.create(/some, new byte[0], acls,
 CreateMode.PERSISTENT);
   zoo.setData(/some, new byte[0], -1);
   }
  
   @Override
   public void process(WatchedEvent event) {
  
  
   }
   }
  
  
   And it worked

Re: ACL question w/ Zookeeper 3.1.1

[Patrick Hunt]

-
this = {org.apache.zookeeper.zookee...@1267}
watchManager = {org.apache.zookeeper.zookeeper$zkwatchmana...@1379}
state = {org.apache.zookeeper.zookeeper$sta...@1453}CLOSED
cnxn = {org.apache.zookeeper.clientc...@1381}sessionId:
0x123de5b3b1b\nlastZxid: 1\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n
serverAddrs = {java.util.arrayl...@1386} size = 1
authInfo = {java.util.arrayl...@1387} size = 1
[0] = {org.apache.zookeeper.clientcnxn$authd...@1398}
scheme = {java.lang.str...@1244}digest
data = {byte[...@1399}
pendingQueue = {java.util.linkedl...@1388} size = 0
outgoingQueue = {java.util.linkedl...@1389} size = 0
nextAddrToTry = 0
connectTimeout = 4
readTimeout = 2
sessionTimeout = 5
zooKeeper = {org.apache.zookeeper.zookee...@1267}
watcher = {org.apache.zookeeper.zookeeper$zkwatchmana...@1379}
sessionId = 82153701637816320
sessionPasswd = {byte[...@1390}
sendThread =
{org.apache.zookeeper.clientcnxn$sendthr...@1259}Thread[main-SendThread
,5,]
eventThread =
{org.apache.zookeeper.clientcnxn$eventthr...@1266}Thread[main-EventThre
ad,5,main]
selector = {sun.nio.ch.epollselectori...@1391}
closing = false
eventOfDeath = {java.lang.obj...@1392}
lastZxid = 1
xid = 3
response = {org.apache.zookeeper.proto.createrespo...@1365}\n
r = {org.apache.zookeeper.proto.replyhea...@1445}0,0,-112\n
request =
{org.apache.zookeeper.proto.createrequ...@1360}'/ACLTest,,v{s{31,s{'aut
h,'}}},0\n
path = {java.lang.str...@1314}/ACLTest
data = {byte...@1339}
acl = {java.util.arrayl...@1242} size = 1
flags = 0
path = {java.lang.str...@1314}/ACLTest
h = {org.apache.zookeeper.proto.requesthea...@1352}2,1\n
cnxn = {org.apache.zookeeper.clientc...@1381}sessionId:
0x123de5b3b1b\nlastZxid: 1\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n


--
v5

NOTE: If I use Ids.OPEN_ACL_UNSAFE, then everything works fine. Here's
an example of the debug state after a create()...
--

this = {org.apache.zookeeper.zookee...@1266}
watchManager = {org.apache.zookeeper.zookeeper$zkwatchmana...@1397}
state = {org.apache.zookeeper.zookeeper$sta...@1398}CONNECTED
cnxn = {org.apache.zookeeper.clientc...@1374}sessionId:
0x123de6ba8de\nlastZxid: 2\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n
serverAddrs = {java.util.arrayl...@1403} size = 1
authInfo = {java.util.arrayl...@1404} size = 1
[0] = {org.apache.zookeeper.clientcnxn$authd...@1415}
scheme = {java.lang.str...@1244}digest
data = {byte[...@1416}
pendingQueue = {java.util.linkedl...@1405} size = 0
outgoingQueue = {java.util.linkedl...@1406} size = 0
nextAddrToTry = 0
connectTimeout = 4
readTimeout = 2
sessionTimeout = 5
zooKeeper = {org.apache.zookeeper.zookee...@1266}
watcher = {org.apache.zookeeper.zookeeper$zkwatchmana...@1397}
sessionId = 82153772198789120
sessionPasswd = {byte[...@1407}
sendThread =
{org.apache.zookeeper.clientcnxn$sendthr...@1259}Thread[main-SendThread
,5,main]
eventThread =
{org.apache.zookeeper.clientcnxn$eventthr...@1265}Thread[main-EventThre
ad,5,main]
selector = {sun.nio.ch.epollselectori...@1408}
closing = false
eventOfDeath = {java.lang.obj...@1409}
lastZxid = 2
xid = 3
response = {org.apache.zookeeper.proto.createrespo...@1360}'/ACLTest\n
r = {org.apache.zookeeper.proto.replyhea...@1389}2,2,0\n
xid = 2
zxid = 2
err = 0
request =
{org.apache.zookeeper.proto.createrequ...@1355}'/ACLTest,,v{s{15,s{'wor
ld,'anyone}}},0\n
path = {java.lang.str...@1314}/ACLTest
h = {org.apache.zookeeper.proto.requesthea...@1347}2,1\n
cnxn = {org.apache.zookeeper.clientc...@1374}sessionId:
0x123de6ba8de\nlastZxid: 2\nxid: 3\nnextAddrToTry: 0\nserverAddrs:
/127.0.0.1:2181\n


-Original Message-
From: Todd Greenwood [mailto:to...@audiencescience.com]
Sent: Friday, September 18, 2009 11:27 AM
To: Patrick Hunt; zookeeper-...@hadoop.apache.org; zookeeper-
u...@hadoop.apache.org
Subject: RE: ACL question w/ Zookeeper 3.1.1

Patrick / Mahadev,

Thanks for the heads-up!

Apparently I *am* receiving email from zookeeper-user but it is being
filtered out as spam. This just started happening, but I'll rectify on
my end.

I'm working thru Mahadev's response and will respond shortly (and

search

for other postings, as well). Appologies for the cross post.

-Todd


-Original Message-
From: Patrick Hunt [mailto:ph...@apache.org]
Sent: Friday, September 18, 2009 11:19 AM
To: zookeeper-...@hadoop.apache.org;

zookeeper-user@hadoop.apache.org

Cc: Todd Greenwood
Subject: Re: ACL question w/ Zookeeper 3.1.1

Todd, there were other responses as well. Are you seeing other

traffic

from the lists? (perhaps a spam filtering issue?)

Patrick

Mahadev Konar wrote:

HI todd,
  We did respond on zookeeper-user. Here is my response in case

you

didn't

see it...


HI todd,
 From what I understand, you are sayin that a creator_all_acl does

not

work

with auth?

 I tried the following with CREATOR_ALL_ACL and it seemed to work

for

me...

import org.apache.zookeeper.CreateMode;
import

Re: ACL question w/ Zookeeper 3.1.1

[Patrick Hunt]

Todd Greenwood wrote:

Patrick,

Thanks, I'll spend some more time trying to create a more concise repro,
and log a bug once I do. The only reason I posted this mash was to see
if the replyHeader error, 0,0,-112, made sense of the ACL exception.
 
The rest is just context...and clearly too much of that :o). I don't see

a difference between v3 and v4...The only differences that I can see are
the between v4 and v5 (v4 fails and v5 succeeds):


I did see this diff btw 3/4, 3 has this:

request =
{org.apache.zookeeper.proto.createrequ...@1360}'/ACLTest,,v{},0\n

you don't have any acl specified for the node create, or is this 
supposed to be a working example w/o auth? (like I said, I'm confused...)




v4:

response = {org.apache.zookeeper.proto.createrespo...@1365}\n
r = {org.apache.zookeeper.proto.replyhea...@1445}0,0,-112\n




-112 return code is session expired, not auth failure. according to 
this your client's session expired, but w/o more info (code/log or idea 
of what your test is doing) I can't really speculate why you are getting 
this (old client session that was not shutdown correctly and finally 
expired while running a different/new test?)


Patrick


v5:

response =

{org.apache.zookeeper.proto.createrespo...@1360}'/ACLTest\n

r = {org.apache.zookeeper.proto.replyhea...@1389}2,2,0\n


-Todd


-Original Message-
From: Patrick Hunt [mailto:ph...@apache.org]
Sent: Monday, September 21, 2009 4:14 PM
To: zookeeper-user@hadoop.apache.org; Todd Greenwood
Subject: Re: ACL question w/ Zookeeper 3.1.1

Todd, I spent some time looking at your output and honestly I'm having
trouble making sense of what you are saying. What's the diff btw v3 
v4? I'm afraid here are too many variables, can you help nail things

down?

1) create a jira for this
https://issues.apache.org/jira/browse/ZOOKEEPER

2) if at all possible attach the code you are running that has

problems,

seems like you've boiled it down to a case where it is deterministic,
this would be the best for us to debug. If you can't attach the code
then include snippets - in particular the addAuthInfo call

(w/parameter

details) for your clients, and the individual create calls, including
the acl specifics - and describe what your client(s) are doing in

detail

so that we can attempt to reproduce.

3) attach a trace level log from both the server and client during

your

test run, point out the time index when you see the auth failure.


btw, you might try doing a getACL(path...) just before the operation
that's failing - it will give you some insight into what the acl is

set

to for that node.

Patrick

Todd Greenwood wrote:

Patrick / Mahadev,

I've spent the last couple of days attempting to isolate this issue,

and

this is what I've come up with...

Mahadev's simple use case works fine, as posted. However, my more
involved use cases are consistently failing w/ InvalidACL exceptions
when I use digest authentication with Ids.CREATOR_ALL_ACL:

java.lang.Exception:
com.audiencescience.util.zookeeper.wrapper.ZooWrapperException:
org.apache.zookeeper.KeeperException$InvalidACLException:
KeeperErrorCode = InvalidACL for /ACLTest

Prior to throwing this exception, the response is
(Zookeeper.java:create()):
r = {org.apache.zookeeper.proto.replyhea...@1445}0,0,-112\n
mailto:{org.apache.zookeeper.proto.replyhea...@1445} . More debug
data below.

So, while I can get Mahadev's simple example to work, I cannot get a
more involved use case to work correctly. However, if I change my

code

to use Ids.OPEN_ACL_UNSAFE, then everything works fine. Example

debug

output below at v5.

Could someone point me at non-trivial test cases for ACLs, and

perhaps

give me some insight into how to debug this issue further?

-Todd


---
Code Snippet ZooKeeper.java
---

public String create(String path, byte data[], ListACL acl,
CreateMode createMode)
throws KeeperException, InterruptedException
{
validatePath(path);

RequestHeader h = new RequestHeader();
h.setType(ZooDefs.OpCode.create);
CreateRequest request = new CreateRequest();
CreateResponse response = new CreateResponse();
request.setData(data);
request.setFlags(createMode.toFlag());
request.setPath(path);
if (acl != null  acl.size() == 0) {
throw new KeeperException.InvalidACLException();
}
request.setAcl(acl);
ReplyHeader r = cnxn.submitRequest(h, request, response,

null);

v3
v5

if (r.getErr() != 0) {


v4

throw
KeeperException.create(KeeperException.Code.get(r.getErr()),
path);
}
return response.getPath();
}


-
v3
-
this = {org.apache.zookeeper.zookee...@1267}
watchManager = {org.apache.zookeeper.zookeeper$zkwatchmana...@1379}
state

RE: ACL question w/ Zookeeper 3.1.1

[Todd Greenwood]

Patrick,

In v3/4, I am using Ids.CREATOR_ALL_ACL. In v5 Ids.OPEN_ACL_UNSAFE. In
all cases, ACLs are specified and authentication credentials have been
added to zookeeper instance.

--
CODE
---
// v5
//for ( ACL ids_acl : Ids.CREATOR_ALL_ACL )
//{
//acl.add( ids_acl );
//}

// v3/4
for ( ACL ids_acl : Ids.OPEN_ACL_UNSAFE )
{
acl.add( ids_acl );
}

// all cases (v3,4,5) have authentication credentials set
zoo = new ZooKeeper( connection_string, connectiontimeout, this );
zoo.addAuthInfo( authentication_type, authentication.getBytes() );

// all cases (v3,4,5) use the acl defined above
zoo.create( normPath(path), new byte[0], acl, mode );

I'll investigate further and log a bug if I can isolate this.

-Todd

 -Original Message-
 From: Patrick Hunt [mailto:ph...@apache.org]
 Sent: Monday, September 21, 2009 4:32 PM
 To: zookeeper-user@hadoop.apache.org; Todd Greenwood
 Cc: Patrick Hunt
 Subject: Re: ACL question w/ Zookeeper 3.1.1
 
 Todd Greenwood wrote:
  Patrick,
 
  Thanks, I'll spend some more time trying to create a more concise
repro,
  and log a bug once I do. The only reason I posted this mash was to
see
  if the replyHeader error, 0,0,-112, made sense of the ACL
exception.
 
  The rest is just context...and clearly too much of that :o). I don't
see
  a difference between v3 and v4...The only differences that I can see
are
  the between v4 and v5 (v4 fails and v5 succeeds):
 
 I did see this diff btw 3/4, 3 has this:
 
 request =
 {org.apache.zookeeper.proto.createrequ...@1360}'/ACLTest,,v{},0\n
 
 you don't have any acl specified for the node create, or is this
 supposed to be a working example w/o auth? (like I said, I'm
confused...)
 
 
  v4:
  response = {org.apache.zookeeper.proto.createrespo...@1365}\n
  r = {org.apache.zookeeper.proto.replyhea...@1445}0,0,-112\n
 
 
 -112 return code is session expired, not auth failure. according to
 this your client's session expired, but w/o more info (code/log or
idea
 of what your test is doing) I can't really speculate why you are
getting
 this (old client session that was not shutdown correctly and finally
 expired while running a different/new test?)
 
 Patrick
 
  v5:
  response =
  {org.apache.zookeeper.proto.createrespo...@1360}'/ACLTest\n
  r = {org.apache.zookeeper.proto.replyhea...@1389}2,2,0\n
 
  -Todd
 
  -Original Message-
  From: Patrick Hunt [mailto:ph...@apache.org]
  Sent: Monday, September 21, 2009 4:14 PM
  To: zookeeper-user@hadoop.apache.org; Todd Greenwood
  Subject: Re: ACL question w/ Zookeeper 3.1.1
 
  Todd, I spent some time looking at your output and honestly I'm
having
  trouble making sense of what you are saying. What's the diff btw v3

  v4? I'm afraid here are too many variables, can you help nail
things
  down?
  1) create a jira for this
  https://issues.apache.org/jira/browse/ZOOKEEPER
 
  2) if at all possible attach the code you are running that has
  problems,
  seems like you've boiled it down to a case where it is
deterministic,
  this would be the best for us to debug. If you can't attach the
code
  then include snippets - in particular the addAuthInfo call
  (w/parameter
  details) for your clients, and the individual create calls,
including
  the acl specifics - and describe what your client(s) are doing in
  detail
  so that we can attempt to reproduce.
 
  3) attach a trace level log from both the server and client during
  your
  test run, point out the time index when you see the auth failure.
 
 
  btw, you might try doing a getACL(path...) just before the
operation
  that's failing - it will give you some insight into what the acl is
  set
  to for that node.
 
  Patrick
 
  Todd Greenwood wrote:
  Patrick / Mahadev,
 
  I've spent the last couple of days attempting to isolate this
issue,
  and
  this is what I've come up with...
 
  Mahadev's simple use case works fine, as posted. However, my more
  involved use cases are consistently failing w/ InvalidACL
exceptions
  when I use digest authentication with Ids.CREATOR_ALL_ACL:
 
  java.lang.Exception:
  com.audiencescience.util.zookeeper.wrapper.ZooWrapperException:
  org.apache.zookeeper.KeeperException$InvalidACLException:
  KeeperErrorCode = InvalidACL for /ACLTest
 
  Prior to throwing this exception, the response is
  (Zookeeper.java:create()):
  r = {org.apache.zookeeper.proto.replyhea...@1445}0,0,-112\n
  mailto:{org.apache.zookeeper.proto.replyhea...@1445} . More
debug
  data below.
 
  So, while I can get Mahadev's simple example to work, I cannot get
a
  more involved use case to work correctly. However, if I change my
  code
  to use Ids.OPEN_ACL_UNSAFE, then everything works fine. Example
  debug
  output below at v5.
 
  Could someone point me at non-trivial test cases for ACLs, and
  perhaps
  give me some insight into how to debug this issue further?
 
  -Todd
 
 
  ---
  Code Snippet

Re: ACL question w/ Zookeeper 3.1.1

[Mahadev Konar]

HI todd,
 From what I understand, you are sayin that a creator_all_acl does not work
with auth?

 I tried the following with CREATOR_ALL_ACL and it seemed to work for me...

import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.WatchedEvent;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.ZooDefs.Ids;
import java.util.ArrayList;
import java.util.List;

public class TestACl implements Watcher {

public static void main(String[] argv) throws Exception {
ListACL acls = new ArrayListACL(1);
String authentication_type = digest;
String authentication = mahadev:some;

for (ACL ids_acl : Ids.CREATOR_ALL_ACL) {
acls.add(ids_acl);
}
TestACl tacl = new TestACl();
ZooKeeper zoo = new ZooKeeper(localhost:2181, 3000, tacl);
zoo.addAuthInfo(authentication_type, authentication.getBytes());
zoo.create(/some, new byte[0], acls, CreateMode.PERSISTENT);
zoo.setData(/some, new byte[0], -1);
}

@Override
public void process(WatchedEvent event) {


}
}


And it worked on my set of zookeeper servers

And then 
I tried 

Without auth 

Getdata(/some) 

Which correctly gave me the error:


Exception in thread main
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /some
at org.apache.zookeeper.KeeperException.create(KeeperException.java:104)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:42)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:892)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:921)
at 
org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:692)
at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:579)
at 
org.apache.zookeeper.ZooKeeperMain.executeLine(ZooKeeperMain.java:351)
at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:309)
at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:268)


Is this what you are trying to do?

Thanks
mahadev
On 9/17/09 5:05 PM, Todd Greenwood to...@audiencescience.com wrote:

 I'm attempting to secure a zookeeper installation using zookeeper ACLs.
 However, I'm finding that while Ids.OPEN_ACL_UNSAFE works great, my
 attempts at using Ids.CREATOR_ALL_ACL are failing. Here's a code
 snippet:
 
 
 public class ZooWrapper
 {
 
 /*
 1. Here I'm setting up my authentication. I've got an ACL list, and my
 authentication strings.
 */
 private final ListACL acl = new ArrayListACL( 1 );
 private static final String authentication_type = digest;
 private static final String authentication =
 audiencescience:gravy;
 
 
 public ZooWrapper( final String connection_string,
final String path,
final int connectiontimeout ) throws
 ZooWrapperException
 {
 ...
 /*
 2. Here I'm adding the acls
 */
 
 // This works (creates nodes, sets data on nodes)
 for ( ACL ids_acl : Ids.OPEN_ACL_UNSAFE )
 {
 acl.add( ids_acl);
 }
 
 /*
 NOTE:  This does not work (nodes are not created, cannot set data on
 nodes b/c nodes do not exist)
 */
 
 //for ( ACL ids_acl : Ids.CREATOR_ALL_ACL )
 //{
 //acl.add( ids_acl );
 //}
 
 /*
 3. Finally, I create a new zookeeper instance and add my authorization
 info to it.
 */
  zoo = new ZooKeeper( connection_string, connectiontimeout, this );
  zoo.addAuthInfo( authentication_type, authentication.getBytes() )
 
 /*
 4. Later, I try to write some data into zookeeper by first creating the
 node, and then calling setdata...
 */
   zoo.create( path, new byte[0], acl, CreateMode.PERSISTENT );
 
   zoo.setData( path, bytes, -1 )
 
 As I mentioned above, when I add Ids.OPEN_ACL_UNSAFE to acl, then both
 the create and setData succeed. However, when I use Ids.CREATOR_ALL_ACL,
 then the nodes are not created. Am I missing something obvious w/
 respect to configuring ACLs?
 
 I've used the following references:
 
 http://hadoop.apache.org/zookeeper/docs/r3.1.1/zookeeperProgrammers.html
 
 http://mail-archives.apache.org/mod_mbox/hadoop-zookeeper-commits/200807
 .mbox/%3c20080731201025.c62092388...@eris.apache.org%3e
 
 http://books.google.com/books?id=bKPEwR-Pt6ECpg=PT404lpg=PT404dq=zook
 eeper+ACL+digest+%22new+Id%22source=blots=kObz0y8eFksig=VFCAsNW0mBJyZ
 swoweJDI31iNlohl=enei=Z82ySojRFsqRlAeqxsyIDwsa=Xoi=book_resultct=re
 sultresnum=6#v=onepageq=zookeeper%20ACL%20digest%20%22new%20Id%22f=fa
 lse
 
 -Todd