joe smith created ZOOKEEPER-2772: ------------------------------------ Summary: Delete node command does not honor Acl policy Key: ZOOKEEPER-2772 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2772 Project: ZooKeeper Issue Type: Bug Components: security Affects Versions: 3.4.10, 3.4.8 Reporter: joe smith
I set the acl to not be able to delete a node - but was able to delete regardless. I am not familiar with the code, but a reply from Martin in the user@ mailing list seems to confirm the issue. I will paste his response below - sorry for the long listing. Martin's reply are inline prefixed with: MG> ---------- From: joe smith <water4...@yahoo.com.INVALID> Sent: Tuesday, May 2, 2017 8:40 AM To: u...@zookeeper.apache.org Subject: Acl block detete not working Hi, I'm using 3.4.10 and setting custom aol to block deletion of a znode. However, I'm able to delete the node even after I've set acl from cdrwa to cra. Can anyone point out if I missed some step. Thanks for the help Here is the trace: [zk: localhost:2181(CONNECTED) 0] ls / [zookeeper] [zk: localhost:2181(CONNECTED) 1] create /test "data" Created /test [zk: localhost:2181(CONNECTED) 2] ls / [zookeeper, test] [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cra cZxid = 0x2 ctime = Tue May 02 08:28:42 EDT 2017 mZxid = 0x2 mtime = Tue May 02 08:28:42 EDT 2017 pZxid = 0x2 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 4 numChildren = 0 MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object List<ACL> acl = AclParser.parse(aclStr); int version; if (cl.hasOption("v")) { version = Integer.parseInt(cl.getOptionValue("v")); } else { version = -1; } try { Stat stat = zk.setACL(path, acl, version); MG>later on in DeleteCommand there is no check for aforementioned acl parameter public boolean exec() throws KeeperException, InterruptedException { String path = args[1]; int version; if (cl.hasOption("v")) { version = Integer.parseInt(cl.getOptionValue("v")); } else { version = -1; } try { zk.delete(path, version); } catch(KeeperException.BadVersionException ex) { err.println(ex.getMessage()); } return false; MG>as seen here the testCase works properly saving the Zookeeper object LsCommand entity = new LsCommand(); entity.setZk(zk); MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs MG>can you report this bug to Zookeeper? https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel> issues.apache.org Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7 MG>Thanks Joe! [zk: localhost:2181(CONNECTED) 5] getAcl /test 'myfqdn,'localhost : cra [zk: localhost:2181(CONNECTED) 6] get /testdata cZxid = 0x2 ctime = Tue May 02 08:28:42 EDT 2017 mZxid = 0x2 mtime = Tue May 02 08:28:42 EDT 2017 pZxid = 0x2 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 4 numChildren = 0 [zk: localhost:2181(CONNECTED) 7] set /test "testwrite" Authentication is not valid : /test [zk: localhost:2181(CONNECTED) 8] delete /test [zk: localhost:2181(CONNECTED) 9] ls / [zookeeper] [zk: localhost:2181(CONNECTED) 10] The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157 -- This message was sent by Atlassian JIRA (v6.3.15#6346)