[ https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16071397#comment-16071397 ]
Jordan Zimmerman commented on ZOOKEEPER-2591: --------------------------------------------- That's an extreme edge case but it is possible. We can prevent that by enforcing the container check of "node.stat.getCversion() > 0" - that would be a lot easier than adding an ACL check in PrepRequestProcessor's handling of OpCode.deleteContainer > The deletion of Container znode doesn't check ACL delete permission > ------------------------------------------------------------------- > > Key: ZOOKEEPER-2591 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591 > Project: ZooKeeper > Issue Type: Bug > Components: security, server > Reporter: Edward Ribeiro > Assignee: Edward Ribeiro > > Container nodes check the ACL before creation, but the deletion doesn't check > the ACL rights. The code below succeeds even tough we removed ACL access > permissions for "/a". > {code} > zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER); > ArrayList<ACL> list = new ArrayList<>(); > list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE)); > zk.setACL("/", list, -1); > zk.delete("/a", -1); > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)