[
https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107837#comment-14107837
]
Alexander Shraer commented on ZOOKEEPER-2014:
---------------------------------------------
Everything you guys are saying about admin-only controls sounds very
reasonable. I just want to clarify about the special reconfig znode. IMHO we
should not allow write permissions to this node. I don't even see why an admin
should have it :) its set only through the reconfig API.
I do think that all clients should have read permissions, and here's why - the
information they get from this znode is the up-to-date connection string. When
the configuration changes this is the bare minimum they need in order not to
loose track of the system. When their server crashes they need to know whom to
connect to next. The new connection string is exactly the information we
exploit for rebalancing. It is even implemented inside the updateServerList
method, which is also needed in any case.
Regarding my suggestion - Hongchao opened a JIRA for it and you can read the
discussion there https://issues.apache.org/jira/browse/ZOOKEEPER-2016
Please especially see Marshall's comment.
All I'm proposing there is to implement some default behaviour that will save
most clients from setting a watch and invoking updateServerList - I suggest
that the client-side-library does it for them if they opt-in for the default
behaviour. It doesn't change APIs, just adds one more feature, so it doesn't
delay 3.5.0.
> Only admin should be allowed to reconfig a cluster
> --------------------------------------------------
>
> Key: ZOOKEEPER-2014
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.5.0
> Reporter: Raul Gutierrez Segales
> Assignee: Raul Gutierrez Segales
> Priority: Blocker
> Attachments: ZOOKEEPER-2014.patch
>
>
> ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We
> should, at the very least, ensure that only the Admin can reconfigure a
> cluster. Perhaps restricting access to /zookeeper/config as well, though this
> is debatable. Surely one could ensure Admin only access via an ACL, but that
> would leave everyone who doesn't use ACLs unprotected. We could also force a
> default ACL to make it a bit more consistent (maybe).
> Finally, making reconfig() only available to Admins means they have to run
> with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure
> if everyone does, or how would it work with other authentication providers).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
