Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2772

Delete node command does not honor Acl policy

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Not A Bug
    • Affects Version/s: 3.4.8, 3.4.10
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      I set the acl to not be able to delete a node - but was able to delete regardless.

      I am not familiar with the code, but a reply from Martin in the user@ mailing list seems to confirm the issue. I will paste his response below - sorry for the long listing.

      Martin's reply are inline prefixed with: MG>

      ----------
      From: joe smith <water4u99@yahoo.com.INVALID>
      Sent: Tuesday, May 2, 2017 8:40 AM
      To: user@zookeeper.apache.org
      Subject: Acl block detete not working

      Hi,
      I'm using 3.4.10 and setting custom aol to block deletion of a znode. However, I'm able to delete the node even after I've set acl from cdrwa to cra.

      Can anyone point out if I missed some step.

      Thanks for the help

      Here is the trace:
      [zk: localhost:2181(CONNECTED) 0] ls /
      [zookeeper]

      [zk: localhost:2181(CONNECTED) 1] create /test "data"
      Created /test

      [zk: localhost:2181(CONNECTED) 2] ls /
      [zookeeper, test]

      [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
      [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra
      cZxid = 0x2
      ctime = Tue May 02 08:28:42 EDT 2017
      mZxid = 0x2
      mtime = Tue May 02 08:28:42 EDT 2017
      pZxid = 0x2
      cversion = 0
      dataVersion = 0
      aclVersion = 1
      ephemeralOwner = 0x0
      dataLength = 4
      numChildren = 0

      MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object

      List<ACL> acl = AclParser.parse(aclStr);
      int version;
      if (cl.hasOption("v"))

      { version = Integer.parseInt(cl.getOptionValue("v")); } else { version = -1; }
      try {
      Stat stat = zk.setACL(path, acl, version);

      MG>later on in DeleteCommand there is no check for aforementioned acl parameter
      public boolean exec() throws KeeperException, InterruptedException {
      String path = args[1];
      int version;
      if (cl.hasOption("v")) { version = Integer.parseInt(cl.getOptionValue("v")); }

      else

      { version = -1; }

      try

      { zk.delete(path, version); }

      catch(KeeperException.BadVersionException ex)

      { err.println(ex.getMessage()); }

      return false;

      MG>as seen here the testCase works properly saving the Zookeeper object
      LsCommand entity = new LsCommand();
      entity.setZk(zk);

      MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs

      MG>can you report this bug to Zookeeper?
      https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel

      ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel>
      issues.apache.org
      Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7

      MG>Thanks Joe!

      [zk: localhost:2181(CONNECTED) 5] getAcl /test
      'myfqdn,'localhost
      : cra

      [zk: localhost:2181(CONNECTED) 6] get /testdata
      cZxid = 0x2
      ctime = Tue May 02 08:28:42 EDT 2017
      mZxid = 0x2
      mtime = Tue May 02 08:28:42 EDT 2017
      pZxid = 0x2
      cversion = 0
      dataVersion = 0
      aclVersion = 1
      ephemeralOwner = 0x0
      dataLength = 4
      numChildren = 0

      [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"
      Authentication is not valid : /test

      [zk: localhost:2181(CONNECTED) 8] delete /test
      [zk: localhost:2181(CONNECTED) 9] ls /
      [zookeeper]

      [zk: localhost:2181(CONNECTED) 10]
      The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                water4u99@yahoo.com joe smith
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: