Hey, Joe and Martin, A quick explanation: the code Martin posted on the mailing list is the client side one. In those snippets the setACL is setting/changing the ACL so it needs to pass this in the call to the server: zk.setACL(path, acl, version). OTOH, the delete command doesn't need to pass the ACL credentials because those are already stored in the corresponding znode (or its parent) so it only needs to pass the path and version: zk.delete(path, version).
What you really want to look at is here: https://github.com/apache/zookeeper/blob/branch-3.4/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L392 See? The delete is checking the ACL of the parent znode, but not the znode that we are trying to delete. Well, I opened a PR https://github.com/apache/zookeeper/pull/252 to see if we can fix this. Best regards, Edward On Tue, May 2, 2017 at 6:24 PM, joe smith <[email protected]> wrote: > Hi Martin, > Thanks for the reply. I've create a bug report: > https://issues.apache.org/jira/browse/ZOOKEEPER-2772 > Regards,-j > > > On Tuesday, May 2, 2017 2:16 PM, Martin Gainty <[email protected]> > wrote: > > > #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0; > }#yiv6303704777 > From: joe smith <[email protected]> > Sent: Tuesday, May 2, 2017 8:40 AM > To: [email protected] > Subject: Acl block detete not working Hi, > I'm using 3.4.10 and setting custom aol to block deletion of a znode. > However, I'm able to delete the node even after I've set acl from cdrwa to > crwa. > Can anyone point out if I missed some step. > Thanks for the help > > Here is the trace: > [zk: localhost:2181(CONNECTED) 0] ls / > [zookeeper] > > [zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test > > [zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test] > > [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost > [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid = > 0x2 > ctime = Tue May 02 08:28:42 EDT 2017 > mZxid = 0x2 > mtime = Tue May 02 08:28:42 EDT 2017 > pZxid = 0x2 > cversion = 0 > dataVersion = 0 > aclVersion = 1 > ephemeralOwner = 0x0 > dataLength = 4 > numChildren = 0 > > MG>in SetAclCommand you can see the acl being parsed and acl being set by > setAcl into zk object > List<ACL> acl = AclParser.parse(aclStr); int version; if > (cl.hasOption("v")) { version = > Integer.parseInt(cl.getOptionValue("v")); > } else { version = -1; } try { > Stat stat = zk.setACL(path, acl, version); > MG>later on in DeleteCommand there is no check for aforementioned acl > parameter public boolean exec() throws KeeperException, > InterruptedException { String path = args[1]; int version; > if (cl.hasOption("v")) { version = > Integer.parseInt(cl.getOptionValue("v")); > } else { version = -1; } try { > zk.delete(path, version); } catch(KeeperException.BadVersionException > ex) { err.println(ex.getMessage()); } return false; > MG>as seen here the testCase works properly saving the Zookeeper object > LsCommand entity = new LsCommand(); entity.setZk(zk); > > MG>but setACL does not save the zookeeper object anywhere but instead > seems to discard zookeeper object with accompanying ACLsMG>can you report > this bug to Zookeeper? > https://issues.apache.org/jira/browse/ZOOKEEPER/? > selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel > > | ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache > ZooKeeper is a service for coordinating processes of distributed > applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : > Unreleased 3.3.7 | > > MG>Thanks Joe! > > [zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost > : cra > > [zk: localhost:2181(CONNECTED) 6] get /testdata > cZxid = 0x2 > ctime = Tue May 02 08:28:42 EDT 2017 > mZxid = 0x2 > mtime = Tue May 02 08:28:42 EDT 2017 > pZxid = 0x2 > cversion = 0 > dataVersion = 0 > aclVersion = 1 > ephemeralOwner = 0x0 > dataLength = 4 > numChildren = 0 > > [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is > not valid : /test > > [zk: localhost:2181(CONNECTED) 8] delete /test > [zk: localhost:2181(CONNECTED) 9] ls /[zookeeper] > > [zk: localhost:2181(CONNECTED) 10] > The auth provider imple is here: http://s000.tinyupload.com/? > file_id=42827186839577179157 > | TinyUpload.com - best file hosting solution, with no limits, totaly > frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting. > No download limits, no upload limit. Totaly free. | > > > > > > > > | | > > > > >
