ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-904

super digest is not actually acting as a full superuser

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.3.1
    • Fix Version/s: 3.3.2, 3.4.0
    • Component/s: server
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      The documentation states:
      New in 3.2: Enables a ZooKeeper ensemble administrator to access the znode hierarchy as a "super" user. In particular no ACL checking occurs for a user authenticated as super.

      However, if a super user does something like:
      zk.setACL("/", Ids.READ_ACL_UNSAFE, -1);

      the super user is now bound by read-only ACL. This is not what I would expect to see given the documentation. It can be fixed by moving the chec for the "super" authId in PrepRequestProcessor.checkACL to before the for(ACL a : acl) loop.

      1. ZOOKEEPER-904-332.patch
        2 kB
        Camille Fournier
      2. ZOOKEEPER-904.patch
        2 kB
        Camille Fournier

        Activity

        Hide
        Camille Fournier added a comment -

        Fix for trunk

        Show
        Camille Fournier added a comment - Fix for trunk
        Hide
        Patrick Hunt added a comment -

        Thanks for the patch, feel free to click "submit patch" once you have a patch ready to go. It transitions the workflow and lets us (committers) know to review your patch.

        Show
        Patrick Hunt added a comment - Thanks for the patch, feel free to click "submit patch" once you have a patch ready to go. It transitions the workflow and lets us (committers) know to review your patch.
        Hide
        Patrick Hunt added a comment -

        We should consider this for 3.3.2 as well, or at least 3.3.3

        Show
        Patrick Hunt added a comment - We should consider this for 3.3.2 as well, or at least 3.3.3
        Hide
        Camille Fournier added a comment -

        I would love it in 3.3.2, will upload a patch for that version.

        Show
        Camille Fournier added a comment - I would love it in 3.3.2, will upload a patch for that version.
        Hide
        Camille Fournier added a comment -

        for 3.3.2 release

        Show
        Camille Fournier added a comment - for 3.3.2 release
        Hide
        Mahadev konar added a comment -

        good catch. +1 for the patch. Ill run ant test and will commit to both 3.3.2 and 3.4.

        Show
        Mahadev konar added a comment - good catch. +1 for the patch. Ill run ant test and will commit to both 3.3.2 and 3.4.
        Hide
        Mahadev konar added a comment -

        Ran the tests, it passes. I just committed this to 3.3 and trunk.

        thanks Camille.

        Show
        Mahadev konar added a comment - Ran the tests, it passes. I just committed this to 3.3 and trunk. thanks Camille.
        Hide
        Hudson added a comment -

        Integrated in ZooKeeper-trunk #981 (See https://hudson.apache.org/hudson/job/ZooKeeper-trunk/981/)
        ZOOKEEPER-904. super digest is not actually acting as a full superuser (Camille Fournier via mahadev)

        Show
        Hudson added a comment - Integrated in ZooKeeper-trunk #981 (See https://hudson.apache.org/hudson/job/ZooKeeper-trunk/981/ ) ZOOKEEPER-904 . super digest is not actually acting as a full superuser (Camille Fournier via mahadev)

          People

          • Assignee:
            Camille Fournier
            Reporter:
            Camille Fournier
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development