[jira] [Commented] (ZOOKEEPER-1782) zookeeper.superUser is not as super as superDigest

Wed, 21 Jun 2017 11:28:27 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057980#comment-16057980
 ] 

ASF GitHub Bot commented on ZOOKEEPER-1782:
-------------------------------------------

Github user arshadmohammad commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/282#discussion_r123329247
  
    --- Diff: 
src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java 
---
    @@ -38,11 +38,6 @@ public String getScheme() {
         }
     
         public boolean matches(String id,String aclExpr) {
    -        if (System.getProperty("zookeeper.superUser") != null) {
    -            if (id.equals(System.getProperty("zookeeper.superUser")) || 
id.equals(aclExpr)) {
    -              return true;
    -            }
    -        }
             if ((id.equals("super") || id.equals(aclExpr))) {
    --- End diff --
    
    Thanks @revans2 for the details.
    On second thought, it would not be appropriate to break the backward 
compatibility. So can you please revert changes done for this comment. Rest all 
looks good to me.


> zookeeper.superUser is not as super as superDigest
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1782
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1782
>             Project: ZooKeeper
>          Issue Type: Bug
>    Affects Versions: 3.4.5
>            Reporter: Robert Joseph Evans
>            Assignee: Robert Joseph Evans
>         Attachments: zk-1782.patch, zk-1782.patch
>
>
> The zookeeper.superUser system property does not fully grant super user 
> privileges, like zookeeper.DigestAuthenticationProvider.superDigest does.
> zookeeper.superUser only has as many privileges as the sasl ACLs on the znode 
> being accessed.  This means that if a znode only has digest ACLs 
> zookeeper.superUser is ignored.  Or if a znode has a single sasl ACL that 
> only has read privileges zookeeper.superUser only has read privileges.
> The reason for this is that SASLAuthenticationProvider implements the 
> superUser check in the matches method, instead of having the super user 
> include a new Id("super","") as Digest does.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to