Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2590

exists() should check read ACL permission

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None

      Description

      As hinted here, even if a parent znode path has restricted READ access it's possible to issue an exists() operation on any child znode of that given path.

      For example, the snippet below doesn't throw NoAuthExceptio, even tough it removes ACL rights to "/":

              zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
              ArrayList<ACL> acls = new ArrayList<>();
              acls.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
      
              zk.setACL("/", acls, -1);
      
              Stat r = zk.exists("/a", false);
      

      Also, in the above example, what if the removed READ access for "/a"? Should we allow a call to exists("/a") to succeed even if it returns the znode metadata info?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                maoling Ling Mao
                Reporter:
                eribeiro Edward Ribeiro
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m