[
https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16078251#comment-16078251
]
Jordan Zimmerman edited comment on ZOOKEEPER-2591 at 7/7/17 3:40 PM:
---------------------------------------------------------------------
[~Bhupendra] - I don't understand how that would work. Any field that
ContainerManager adds to the Request object could also be added by a rogue
client. Can you give an example of how this would work?
Another possibility is to somehow disallow OpCode.deleteContainer coming from a
connected client.
was (Author: randgalt):
[~Bhupendra] - I don't understand how that would work. Any field that
ContainerManager adds to the Request object could also be added by a rogue
client. Can you give an example of how this would work?
Another possibility is to someone disallow OpCode.deleteContainer coming from a
connected client.
> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>
> Key: ZOOKEEPER-2591
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Reporter: Edward Ribeiro
> Assignee: Edward Ribeiro
>
> Container nodes check the ACL before creation, but the deletion doesn't check
> the ACL rights. The code below succeeds even tough we removed ACL access
> permissions for "/a".
> {code}
> zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
> ArrayList<ACL> list = new ArrayList<>();
> list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
> zk.setACL("/", list, -1);
> zk.delete("/a", -1);
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
