[ https://issues.apache.org/jira/browse/ZOOKEEPER-2590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17069410#comment-17069410 ]
maoling commented on ZOOKEEPER-2590: ------------------------------------ the original title is: setACL doesn't affect exists() operation > setACL doesn't affect exists() operation > ---------------------------------------- > > Key: ZOOKEEPER-2590 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2590 > Project: ZooKeeper > Issue Type: Bug > Reporter: Edward Ribeiro > Assignee: maoling > Priority: Major > Labels: acl, security > > As hinted > [here|https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java#L298], > even if a parent znode path has restricted READ access it's possible to > issue an exists() operation on any child znode of that given path. > For example, the snippet below doesn't throw {{NoAuthExceptio}}, even tough > it removes ACL rights to "/": > {code} > zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); > ArrayList<ACL> acls = new ArrayList<>(); > acls.add(new ACL(0, Ids.ANYONE_ID_UNSAFE)); > zk.setACL("/", acls, -1); > Stat r = zk.exists("/a", false); > {code} > Also, in the above example, what if the removed READ access for "/a"? Should > we allow a call to exists("/a") to succeed even if it returns the znode > metadata info? -- This message was sent by Atlassian Jira (v8.3.4#803005)