You can use setacl on root if you'd like to change permissions to be more restrictive.
Patrick On Fri, May 25, 2012 at 7:52 AM, Rakesh R <[email protected]> wrote: > Hi Pat, > > Thanks for looking. Actually I'm using 3.4.3 release, and I have seen the > similar checks for parsing the ACLs in this version also. > > I have created /app1 and /app2 using the following commands: > > create /app1 "" sasl:hbase/[email protected]:cdrwa > create /app2 "" sasl:hbase/[email protected]:cdrwa > > I just saw the following acl checks in the PrepRequestProcessor.java for > delete command: > > checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, > request.authInfo); > > Here delete command is using 'parentRecord.acl' for Acl checks. In my case > app1 and app2 is created directly under the '/'. > If my understanding is correct, '/' has ZooDefs.Ids.ANYONE_ID_UNSAFE > permission and when any user comes for deleting the children of '/', its just > validating against 'world:anyone' of root and allowing to delete. I'm > worrying about the authentication of the znodes under root node ? . I 'd like > to know your opinion on this. > > Thanks, > Rakesh > ________________________________________ > From: Patrick Hunt [[email protected]] > Sent: Friday, May 25, 2012 5:48 AM > To: [email protected] > Subject: Re: sasl authentication is given to the user during create nodes, > node deletion is happening with 'delete' cmd > > When you created the znodes did you specify acls or just take the > defaults? (zkcli defaults are permissive), here's the create znode > code: > > List<ACL> acl = ZooDefs.Ids.OPEN_ACL_UNSAFE; > if (args.length > 3) { > acl = AclParser.parse(args[3]); > } > > Patrick > > On Tue, May 22, 2012 at 3:49 AM, Rakesh R <[email protected]> wrote: >> Hi All, >> >> I'm trying to use the ZooKeeper sasl. Actually I'm a bit confused when using >> the delete command. >> >> Say, I have created two znodes: >> >> 'app1' directly under '/' with >> hbase/[email protected]<mailto:hbase/[email protected]> >> 'app2' directly under '/' with >> hbase/[email protected]<mailto:hbase/[email protected]> >> >> Now, I have logged in as >> zkcli/[email protected]<mailto:zkcli/[email protected]> >> and this is not given as super user. When I tried to delete the znodes >> '/app1' and '/app2', it is allowing and not authenticating. >> >> Here, I'm thinking that 'zkcli' will not have the access to delete these two >> nodes. >> >> Is this a problem or anything I'm missing. Can you please help me to resolve >> this and how the security can be applied here. >> >> >> Thanks, >> Rakesh
