Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-1782

zookeeper.superUser is not as super as superDigest

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.4.5
    • 3.5.4, 3.6.0
    • None
    • None

    Description

      The zookeeper.superUser system property does not fully grant super user privileges, like zookeeper.DigestAuthenticationProvider.superDigest does.

      zookeeper.superUser only has as many privileges as the sasl ACLs on the znode being accessed. This means that if a znode only has digest ACLs zookeeper.superUser is ignored. Or if a znode has a single sasl ACL that only has read privileges zookeeper.superUser only has read privileges.

      The reason for this is that SASLAuthenticationProvider implements the superUser check in the matches method, instead of having the super user include a new Id("super","") as Digest does.

      Attachments

        1. zk-1782.patch
          2 kB
          Robert Joseph Evans
        2. zk-1782.patch
          7 kB
          Robert Joseph Evans

        Issue Links

          Activity

            People

              revans2 Robert Joseph Evans
              revans2 Robert Joseph Evans
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: