[
https://issues.apache.org/jira/browse/ZOOKEEPER-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029871#comment-16029871
]
ASF GitHub Bot commented on ZOOKEEPER-2779:
-------------------------------------------
Github user afine commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/248#discussion_r119176943
--- Diff: src/java/main/org/apache/zookeeper/server/DataTree.java ---
@@ -254,12 +262,14 @@ public void addConfigNode() {
}
nodes.put(configZookeeper, configDataNode);
- try {
- // Reconfig node is access controlled by default
(ZOOKEEPER-2014).
- setACL(configZookeeper, ZooDefs.Ids.READ_ACL_UNSAFE, -1);
- } catch (KeeperException.NoNodeException e) {
- assert false : "There's no " + configZookeeper +
- " znode - this should never happen.";
+ if ( !skipDefaultACLForReconfig ) {
--- End diff --
nit: no spaces around the condition
> Add option to not set ACL for reconfig node
> -------------------------------------------
>
> Key: ZOOKEEPER-2779
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2779
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.5.3
> Reporter: Jordan Zimmerman
> Assignee: Jordan Zimmerman
> Fix For: 3.5.4, 3.6.0
>
>
> ZOOKEEPER-2014 changed the behavior of the /zookeeper/config node by setting
> the ACL to {{ZooDefs.Ids.READ_ACL_UNSAFE}}. This change makes it very
> cumbersome to use the reconfig APIs. It also, perversely, makes security
> worse as the entire ZooKeeper instance must be opened to "super" user while
> enabled reconfig (per {{ReconfigExceptionTest.java}}). Provide a mechanism
> for savvy users to disable this ACL so that an application-specific custom
> ACL can be set.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
