[
https://issues.apache.org/jira/browse/ZOOKEEPER-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059832#comment-16059832
]
ASF GitHub Bot commented on ZOOKEEPER-1782:
-------------------------------------------
Github user revans2 commented on the issue:
https://github.com/apache/zookeeper/pull/282
@hanm I didn't add in `zookeeper.superUser`. I am happy to document it if
you tell me where to make that change. I don't know where the documentation
source is stored. I am happy to add in an additional
`zookeeper.SASLAuthenticationProvider.superUser` config and document it
instead, but removing `zookeeper.superUser` will technically break backwards
compatibility. If that is what you want I can do it, I just want to be sure
like on the other breaking change that was suggested.
> zookeeper.superUser is not as super as superDigest
> --------------------------------------------------
>
> Key: ZOOKEEPER-1782
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1782
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.4.5
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Attachments: zk-1782.patch, zk-1782.patch
>
>
> The zookeeper.superUser system property does not fully grant super user
> privileges, like zookeeper.DigestAuthenticationProvider.superDigest does.
> zookeeper.superUser only has as many privileges as the sasl ACLs on the znode
> being accessed. This means that if a znode only has digest ACLs
> zookeeper.superUser is ignored. Or if a znode has a single sasl ACL that
> only has read privileges zookeeper.superUser only has read privileges.
> The reason for this is that SASLAuthenticationProvider implements the
> superUser check in the matches method, instead of having the super user
> include a new Id("super","") as Digest does.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
