RE: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd

[Rakesh R]

Hi Pat,

Thanks for looking. Actually I'm using 3.4.3 release, and I have seen the 
similar checks for parsing the ACLs in this version also.

I have created /app1 and /app2 using the following commands:

create /app1 "" sasl:hbase/host-10-18-40-40.hadoop....@hadoop.com:cdrwa
create /app2 "" sasl:hbase/host-10-18-40-40.hadoop....@hadoop.com:cdrwa

I just saw the following acl checks in the PrepRequestProcessor.java for delete 
command:
 
                checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, 
request.authInfo);

Here delete command is using 'parentRecord.acl' for Acl checks. In my case app1 
and app2 is created directly under the '/'. 
If my understanding is correct, '/' has ZooDefs.Ids.ANYONE_ID_UNSAFE permission 
and when any user comes for deleting the children of '/', its just validating 
against 'world:anyone' of root and allowing to delete. I'm worrying about the 
authentication of the znodes under root node ? . I 'd like to know your opinion 
on this.

Thanks,
Rakesh
________________________________________
From: Patrick Hunt [ph...@apache.org]
Sent: Friday, May 25, 2012 5:48 AM
To: user@zookeeper.apache.org
Subject: Re: sasl authentication is given to the user during create nodes, node 
deletion is happening with 'delete' cmd

When you created the znodes did you specify acls or just take the
defaults? (zkcli defaults are permissive), here's the create znode
code:

        List<ACL> acl = ZooDefs.Ids.OPEN_ACL_UNSAFE;
        if (args.length > 3) {
            acl = AclParser.parse(args[3]);
        }

Patrick

On Tue, May 22, 2012 at 3:49 AM, Rakesh R <rake...@huawei.com> wrote:
> Hi All,
>
> I'm trying to use the ZooKeeper sasl. Actually I'm a bit confused when using 
> the delete command.
>
> Say, I have created two znodes:
>
>  'app1' directly under '/' with 
> hbase/host-10-18-40-40.hadoop....@hadoop.com<mailto:hbase/host-10-18-40-40.hadoop....@hadoop.com>
>  'app2' directly under '/' with 
> hbase/host-10-18-40-40.hadoop....@hadoop.com<mailto:hbase/host-10-18-40-40.hadoop....@hadoop.com>
>
> Now, I have logged in as 
> zkcli/host-10-18-40-40.hadoop....@hadoop.com<mailto:zkcli/host-10-18-40-40.hadoop....@hadoop.com>
>  and this is not given as super user. When I tried to delete the znodes 
> '/app1' and '/app2', it is allowing and not authenticating.
>
> Here, I'm thinking that 'zkcli' will not have the access to delete these two 
> nodes.
>
> Is this a problem or anything I'm missing. Can you please help me to resolve 
> this and how the security can be applied here.
>
>
> Thanks,
> Rakesh