[ https://issues.apache.org/jira/browse/ZOOKEEPER-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15565419#comment-15565419 ]
Flavio Junqueira commented on ZOOKEEPER-2014: --------------------------------------------- I checked that it works for me when reconfig is enabled. I have a couple of other things I wanted to raise: # When I tried with reconfig disabled, I got this message: {noformat} reconfig -add server.5=127.0.0.1:1234:1235;1236 KeeperErrorCode = Reconfig is disabled for {noformat} And it should be only {{Reconfig disabled}}, unless we want to convey some other information. # I have also verified that to get the reconfig command to go through we only need the leader to have {{reconfigEnabled = true}}. There is no way around it unless the replicas coordinate to use the same value. We need it well documented, though. > Only admin should be allowed to reconfig a cluster > -------------------------------------------------- > > Key: ZOOKEEPER-2014 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2014 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.0 > Reporter: Raul Gutierrez Segales > Assignee: Michael Han > Priority: Blocker > Fix For: 3.5.3 > > Attachments: ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, > ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, > ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, ZOOKEEPER-2014.patch, > ZOOKEEPER-2014.patch > > > ZOOKEEPER-107 introduces reconfiguration support via the reconfig() call. We > should, at the very least, ensure that only the Admin can reconfigure a > cluster. Perhaps restricting access to /zookeeper/config as well, though this > is debatable. Surely one could ensure Admin only access via an ACL, but that > would leave everyone who doesn't use ACLs unprotected. We could also force a > default ACL to make it a bit more consistent (maybe). > Finally, making reconfig() only available to Admins means they have to run > with zookeeper.DigestAuthenticationProvider.superDigest (which I am not sure > if everyone does, or how would it work with other authentication providers). > Review board https://reviews.apache.org/r/51546/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)