Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2590

exists() should check read ACL permission

    XMLWordPrintableJSON

Details

    Description

      As hinted here, even if a parent znode path has restricted READ access it's possible to issue an exists() operation on any child znode of that given path.

      For example, the snippet below doesn't throw NoAuthExceptio, even tough it removes ACL rights to "/":

              zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
        ArrayList<ACL> acls = new ArrayList<>();
        acls.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));

        zk.setACL("/", acls, -1);

        Stat r = zk.exists("/a", false);

      Also, in the above example, what if the removed READ access for "/a"? Should we allow a call to exists("/a") to succeed even if it returns the znode metadata info?

      Attachments

        Issue Links

          breaks

          Task - A task that needs to be done. HBASE-28444 Bump org.apache.zookeeper:zookeeper from 3.8.3 to 3.8.4

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved
          links to

          Web Link GitHub Pull Request #1298

          Web Link GitHub Pull Request #2093

          Web Link GitHub Pull Request #2096

          Activity

            People

              andor Andor Molnar
              eribeiro Edward Ribeiro
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 10m
                  3h 10m