Quantcast

Acl block detete not working

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Acl block detete not working

joe smith
Hi,
I'm using 3.4.10 and setting custom aol to block deletion of a znode.  However, I'm able to delete the node even after I've set acl from cdrwa to crwa.
Can anyone point out if I missed some step.
Thanks for the help

Here is the trace:
[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper]

[zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test

[zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]

[zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
[zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0

[zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
: cra

[zk: localhost:2181(CONNECTED) 6] get /testdata
cZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0

[zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is not valid : /test

[zk: localhost:2181(CONNECTED) 8] delete /test
[zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]

[zk: localhost:2181(CONNECTED) 10]
The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157



 
|   |

 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Acl block detete not working

Martin Gainty

________________________________
From: joe smith <[hidden email]>
Sent: Tuesday, May 2, 2017 8:40 AM
To: [hidden email]
Subject: Acl block detete not working

Hi,
I'm using 3.4.10 and setting custom aol to block deletion of a znode.  However, I'm able to delete the node even after I've set acl from cdrwa to crwa.
Can anyone point out if I missed some step.
Thanks for the help

Here is the trace:
[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper]

[zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test

[zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]

[zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
[zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0

MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object

    List<ACL> acl = AclParser.parse(aclStr);
        int version;
        if (cl.hasOption("v")) {
            version = Integer.parseInt(cl.getOptionValue("v"));
        } else {
            version = -1;
        }
        try {
            Stat stat = zk.setACL(path, acl, version);

MG>later on in DeleteCommand there is no check for aforementioned acl parameter
   public boolean exec() throws KeeperException, InterruptedException {
        String path = args[1];
        int version;
        if (cl.hasOption("v")) {
            version = Integer.parseInt(cl.getOptionValue("v"));
        } else {
            version = -1;
        }

        try {
        zk.delete(path, version);
        } catch(KeeperException.BadVersionException ex) {
            err.println(ex.getMessage());
        }
        return false;

MG>as seen here the testCase works properly saving the Zookeeper object
     LsCommand entity = new LsCommand();
        entity.setZk(zk);


MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLs
MG>can you report this bug to Zookeeper?
https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel

ZooKeeper - ASF JIRA - issues.apache.org<https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel>
issues.apache.org
Apache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7

MG>Thanks Joe!

[zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
: cra

[zk: localhost:2181(CONNECTED) 6] get /testdata
cZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0

[zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is not valid : /test

[zk: localhost:2181(CONNECTED) 8] delete /test
[zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]

[zk: localhost:2181(CONNECTED) 10]
The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157
TinyUpload.com - best file hosting solution, with no limits, totaly free<http://s000.tinyupload.com/?file_id=42827186839577179157>
s000.tinyupload.com
TinyUpload.com - solution for tiny file hosting. No download limits, no upload limit. Totaly free.







|   |


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Acl block detete not working

joe smith
Hi Martin,
Thanks for the reply.  I've create a bug report: https://issues.apache.org/jira/browse/ZOOKEEPER-2772
Regards,-j
 

    On Tuesday, May 2, 2017 2:16 PM, Martin Gainty <[hidden email]> wrote:
 

 #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0;}#yiv6303704777
From: joe smith <[hidden email]>
Sent: Tuesday, May 2, 2017 8:40 AM
To: [hidden email]
Subject: Acl block detete not working Hi,
I'm using 3.4.10 and setting custom aol to block deletion of a znode.  However, I'm able to delete the node even after I've set acl from cdrwa to crwa.
Can anyone point out if I missed some step.
Thanks for the help

Here is the trace:
[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper]

[zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test

[zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]

[zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
[zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0

MG>in SetAclCommand you can see the acl being parsed and acl being set by setAcl into zk object
    List<ACL> acl = AclParser.parse(aclStr);        int version;        if (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionValue("v"));        } else {            version = -1;        }        try {            Stat stat = zk.setACL(path, acl, version);
MG>later on in DeleteCommand there is no check for aforementioned acl parameter   public boolean exec() throws KeeperException, InterruptedException {        String path = args[1];        int version;        if (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionValue("v"));        } else {            version = -1;        }                try {        zk.delete(path, version);        } catch(KeeperException.BadVersionException ex) {            err.println(ex.getMessage());        }        return false;
MG>as seen here the testCase works properly saving the Zookeeper object     LsCommand entity = new LsCommand();        entity.setZk(zk);

MG>but setACL does not save the zookeeper object anywhere but instead seems to discard zookeeper object with accompanying ACLsMG>can you report this bug to Zookeeper?
https://issues.apache.org/jira/browse/ZOOKEEPER/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel

| ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache ZooKeeper is a service for coordinating processes of distributed applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 : Unreleased 3.3.7 |

MG>Thanks Joe!

[zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
: cra

[zk: localhost:2181(CONNECTED) 6] get /testdata
cZxid = 0x2
ctime = Tue May 02 08:28:42 EDT 2017
mZxid = 0x2
mtime = Tue May 02 08:28:42 EDT 2017
pZxid = 0x2
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0

[zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is not valid : /test

[zk: localhost:2181(CONNECTED) 8] delete /test
[zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]

[zk: localhost:2181(CONNECTED) 10]
The auth provider imple is here: http://s000.tinyupload.com/?file_id=42827186839577179157
| TinyUpload.com - best file hosting solution, with no limits, totaly frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting. No download limits, no upload limit. Totaly free. |






 
|   |

 


   
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Acl block detete not working

Edward Ribeiro
Hey, Joe and Martin,

A quick explanation: the code Martin posted on the mailing list is the
client side one. In those snippets the setACL is setting/changing the ACL
so it needs to pass this in the call to the server: zk.setACL(path, acl,
version). OTOH, the delete command doesn't need to pass the ACL credentials
because those are already stored in the corresponding znode (or its parent)
so it only needs to pass the path and version: zk.delete(path, version).

What you really want to look at is here:
https://github.com/apache/zookeeper/blob/branch-3.4/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L392

See? The delete is checking the ACL of the parent znode, but not the znode
that we are trying to delete.

Well, I opened a PR https://github.com/apache/zookeeper/pull/252 to see if
we can fix this.

Best regards,
Edward






On Tue, May 2, 2017 at 6:24 PM, joe smith <[hidden email]>
wrote:

> Hi Martin,
> Thanks for the reply.  I've create a bug report:
> https://issues.apache.org/jira/browse/ZOOKEEPER-2772
> Regards,-j
>
>
>     On Tuesday, May 2, 2017 2:16 PM, Martin Gainty <[hidden email]>
> wrote:
>
>
>  #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0;
> }#yiv6303704777
> From: joe smith <[hidden email]>
> Sent: Tuesday, May 2, 2017 8:40 AM
> To: [hidden email]
> Subject: Acl block detete not working Hi,
> I'm using 3.4.10 and setting custom aol to block deletion of a znode.
> However, I'm able to delete the node even after I've set acl from cdrwa to
> crwa.
> Can anyone point out if I missed some step.
> Thanks for the help
>
> Here is the trace:
> [zk: localhost:2181(CONNECTED) 0] ls /
> [zookeeper]
>
> [zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test
>
> [zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]
>
> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid =
> 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
>
> MG>in SetAclCommand you can see the acl being parsed and acl being set by
> setAcl into zk object
>     List<ACL> acl = AclParser.parse(aclStr);        int version;        if
> (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionValue("v"));
>       } else {            version = -1;        }        try {
> Stat stat = zk.setACL(path, acl, version);
> MG>later on in DeleteCommand there is no check for aforementioned acl
> parameter   public boolean exec() throws KeeperException,
> InterruptedException {        String path = args[1];        int version;
>     if (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionValue("v"));
>       } else {            version = -1;        }                try {
>   zk.delete(path, version);        } catch(KeeperException.BadVersionException
> ex) {            err.println(ex.getMessage());        }        return false;
> MG>as seen here the testCase works properly saving the Zookeeper object
>  LsCommand entity = new LsCommand();        entity.setZk(zk);
>
> MG>but setACL does not save the zookeeper object anywhere but instead
> seems to discard zookeeper object with accompanying ACLsMG>can you report
> this bug to Zookeeper?
> https://issues.apache.org/jira/browse/ZOOKEEPER/?
> selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
>
> | ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache
> ZooKeeper is a service for coordinating processes of distributed
> applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 :
> Unreleased 3.3.7 |
>
> MG>Thanks Joe!
>
> [zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
> : cra
>
> [zk: localhost:2181(CONNECTED) 6] get /testdata
> cZxid = 0x2
> ctime = Tue May 02 08:28:42 EDT 2017
> mZxid = 0x2
> mtime = Tue May 02 08:28:42 EDT 2017
> pZxid = 0x2
> cversion = 0
> dataVersion = 0
> aclVersion = 1
> ephemeralOwner = 0x0
> dataLength = 4
> numChildren = 0
>
> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is
> not valid : /test
>
> [zk: localhost:2181(CONNECTED) 8] delete /test
> [zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]
>
> [zk: localhost:2181(CONNECTED) 10]
> The auth provider imple is here: http://s000.tinyupload.com/?
> file_id=42827186839577179157
> | TinyUpload.com - best file hosting solution, with no limits, totaly
> frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting.
> No download limits, no upload limit. Totaly free. |
>
>
>
>
>
>
>
> |   |
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Acl block detete not working

Benjamin Reed-3
please check out
http://zookeeper.apache.org/doc/r3.5.3-beta/zookeeperProgrammers.html#sc_ACLPermissions.
DELETE prevents deletion of children (like CREATE prevents the
creation of children). it does not prevent the deletion of the znode
itself.

ben

On Fri, May 12, 2017 at 10:53 PM, Edward Ribeiro
<[hidden email]> wrote:

> Hey, Joe and Martin,
>
> A quick explanation: the code Martin posted on the mailing list is the
> client side one. In those snippets the setACL is setting/changing the ACL
> so it needs to pass this in the call to the server: zk.setACL(path, acl,
> version). OTOH, the delete command doesn't need to pass the ACL credentials
> because those are already stored in the corresponding znode (or its parent)
> so it only needs to pass the path and version: zk.delete(path, version).
>
> What you really want to look at is here:
> https://github.com/apache/zookeeper/blob/branch-3.4/src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L392
>
> See? The delete is checking the ACL of the parent znode, but not the znode
> that we are trying to delete.
>
> Well, I opened a PR https://github.com/apache/zookeeper/pull/252 to see if
> we can fix this.
>
> Best regards,
> Edward
>
>
>
>
>
>
> On Tue, May 2, 2017 at 6:24 PM, joe smith <[hidden email]>
> wrote:
>
>> Hi Martin,
>> Thanks for the reply.  I've create a bug report:
>> https://issues.apache.org/jira/browse/ZOOKEEPER-2772
>> Regards,-j
>>
>>
>>     On Tuesday, May 2, 2017 2:16 PM, Martin Gainty <[hidden email]>
>> wrote:
>>
>>
>>  #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0;
>> }#yiv6303704777
>> From: joe smith <[hidden email]>
>> Sent: Tuesday, May 2, 2017 8:40 AM
>> To: [hidden email]
>> Subject: Acl block detete not working Hi,
>> I'm using 3.4.10 and setting custom aol to block deletion of a znode.
>> However, I'm able to delete the node even after I've set acl from cdrwa to
>> crwa.
>> Can anyone point out if I missed some step.
>> Thanks for the help
>>
>> Here is the trace:
>> [zk: localhost:2181(CONNECTED) 0] ls /
>> [zookeeper]
>>
>> [zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test
>>
>> [zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]
>>
>> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
>> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid =
>> 0x2
>> ctime = Tue May 02 08:28:42 EDT 2017
>> mZxid = 0x2
>> mtime = Tue May 02 08:28:42 EDT 2017
>> pZxid = 0x2
>> cversion = 0
>> dataVersion = 0
>> aclVersion = 1
>> ephemeralOwner = 0x0
>> dataLength = 4
>> numChildren = 0
>>
>> MG>in SetAclCommand you can see the acl being parsed and acl being set by
>> setAcl into zk object
>>     List<ACL> acl = AclParser.parse(aclStr);        int version;        if
>> (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionValue("v"));
>>       } else {            version = -1;        }        try {
>> Stat stat = zk.setACL(path, acl, version);
>> MG>later on in DeleteCommand there is no check for aforementioned acl
>> parameter   public boolean exec() throws KeeperException,
>> InterruptedException {        String path = args[1];        int version;
>>     if (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionValue("v"));
>>       } else {            version = -1;        }                try {
>>   zk.delete(path, version);        } catch(KeeperException.BadVersionException
>> ex) {            err.println(ex.getMessage());        }        return false;
>> MG>as seen here the testCase works properly saving the Zookeeper object
>>  LsCommand entity = new LsCommand();        entity.setZk(zk);
>>
>> MG>but setACL does not save the zookeeper object anywhere but instead
>> seems to discard zookeeper object with accompanying ACLsMG>can you report
>> this bug to Zookeeper?
>> https://issues.apache.org/jira/browse/ZOOKEEPER/?
>> selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
>>
>> | ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache
>> ZooKeeper is a service for coordinating processes of distributed
>> applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 :
>> Unreleased 3.3.7 |
>>
>> MG>Thanks Joe!
>>
>> [zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
>> : cra
>>
>> [zk: localhost:2181(CONNECTED) 6] get /testdata
>> cZxid = 0x2
>> ctime = Tue May 02 08:28:42 EDT 2017
>> mZxid = 0x2
>> mtime = Tue May 02 08:28:42 EDT 2017
>> pZxid = 0x2
>> cversion = 0
>> dataVersion = 0
>> aclVersion = 1
>> ephemeralOwner = 0x0
>> dataLength = 4
>> numChildren = 0
>>
>> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is
>> not valid : /test
>>
>> [zk: localhost:2181(CONNECTED) 8] delete /test
>> [zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]
>>
>> [zk: localhost:2181(CONNECTED) 10]
>> The auth provider imple is here: http://s000.tinyupload.com/?
>> file_id=42827186839577179157
>> | TinyUpload.com - best file hosting solution, with no limits, totaly
>> frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting.
>> No download limits, no upload limit. Totaly free. |
>>
>>
>>
>>
>>
>>
>>
>> |   |
>>
>>
>>
>>
>>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Acl block detete not working

Edward Ribeiro
Excuse me, should have looked first on docs. Interesting behaviour...


Thanks Ben!

Em 13 de mai de 2017 5:30 AM, "Benjamin Reed" <[hidden email]> escreveu:

please check out
http://zookeeper.apache.org/doc/r3.5.3-beta/zookeeperProgram
mers.html#sc_ACLPermissions.
DELETE prevents deletion of children (like CREATE prevents the
creation of children). it does not prevent the deletion of the znode
itself.

ben

On Fri, May 12, 2017 at 10:53 PM, Edward Ribeiro
<[hidden email]> wrote:
> Hey, Joe and Martin,
>
> A quick explanation: the code Martin posted on the mailing list is the
> client side one. In those snippets the setACL is setting/changing the ACL
> so it needs to pass this in the call to the server: zk.setACL(path, acl,
> version). OTOH, the delete command doesn't need to pass the ACL
credentials
> because those are already stored in the corresponding znode (or its
parent)
> so it only needs to pass the path and version: zk.delete(path, version).
>
> What you really want to look at is here:
> https://github.com/apache/zookeeper/blob/branch-3.4/src/java
/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L392

>
> See? The delete is checking the ACL of the parent znode, but not the znode
> that we are trying to delete.
>
> Well, I opened a PR https://github.com/apache/zookeeper/pull/252 to see if
> we can fix this.
>
> Best regards,
> Edward
>
>
>
>
>
>
> On Tue, May 2, 2017 at 6:24 PM, joe smith <[hidden email]>
> wrote:
>
>> Hi Martin,
>> Thanks for the reply.  I've create a bug report:
>> https://issues.apache.org/jira/browse/ZOOKEEPER-2772
>> Regards,-j
>>
>>
>>     On Tuesday, May 2, 2017 2:16 PM, Martin Gainty <[hidden email]>
>> wrote:
>>
>>
>>  #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0;
>> }#yiv6303704777
>> From: joe smith <[hidden email]>
>> Sent: Tuesday, May 2, 2017 8:40 AM
>> To: [hidden email]
>> Subject: Acl block detete not working Hi,
>> I'm using 3.4.10 and setting custom aol to block deletion of a znode.
>> However, I'm able to delete the node even after I've set acl from cdrwa
to

>> crwa.
>> Can anyone point out if I missed some step.
>> Thanks for the help
>>
>> Here is the trace:
>> [zk: localhost:2181(CONNECTED) 0] ls /
>> [zookeeper]
>>
>> [zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test
>>
>> [zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]
>>
>> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
>> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid
=

>> 0x2
>> ctime = Tue May 02 08:28:42 EDT 2017
>> mZxid = 0x2
>> mtime = Tue May 02 08:28:42 EDT 2017
>> pZxid = 0x2
>> cversion = 0
>> dataVersion = 0
>> aclVersion = 1
>> ephemeralOwner = 0x0
>> dataLength = 4
>> numChildren = 0
>>
>> MG>in SetAclCommand you can see the acl being parsed and acl being set by
>> setAcl into zk object
>>     List<ACL> acl = AclParser.parse(aclStr);        int version;
if
>> (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionV
alue("v"));
>>       } else {            version = -1;        }        try {
>> Stat stat = zk.setACL(path, acl, version);
>> MG>later on in DeleteCommand there is no check for aforementioned acl
>> parameter   public boolean exec() throws KeeperException,
>> InterruptedException {        String path = args[1];        int version;
>>     if (cl.hasOption("v")) {            version =
Integer.parseInt(cl.getOptionValue("v"));
>>       } else {            version = -1;        }                try {
>>   zk.delete(path, version);        } catch(KeeperException.BadVersi
onException
>> ex) {            err.println(ex.getMessage());        }        return
false;

>> MG>as seen here the testCase works properly saving the Zookeeper object
>>  LsCommand entity = new LsCommand();        entity.setZk(zk);
>>
>> MG>but setACL does not save the zookeeper object anywhere but instead
>> seems to discard zookeeper object with accompanying ACLsMG>can you report
>> this bug to Zookeeper?
>> https://issues.apache.org/jira/browse/ZOOKEEPER/?
>> selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
>>
>> | ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache
>> ZooKeeper is a service for coordinating processes of distributed
>> applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 :
>> Unreleased 3.3.7 |
>>
>> MG>Thanks Joe!
>>
>> [zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
>> : cra
>>
>> [zk: localhost:2181(CONNECTED) 6] get /testdata
>> cZxid = 0x2
>> ctime = Tue May 02 08:28:42 EDT 2017
>> mZxid = 0x2
>> mtime = Tue May 02 08:28:42 EDT 2017
>> pZxid = 0x2
>> cversion = 0
>> dataVersion = 0
>> aclVersion = 1
>> ephemeralOwner = 0x0
>> dataLength = 4
>> numChildren = 0
>>
>> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is
>> not valid : /test
>>
>> [zk: localhost:2181(CONNECTED) 8] delete /test
>> [zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]
>>
>> [zk: localhost:2181(CONNECTED) 10]
>> The auth provider imple is here: http://s000.tinyupload.com/?
>> file_id=42827186839577179157
>> | TinyUpload.com - best file hosting solution, with no limits, totaly
>> frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting.
>> No download limits, no upload limit. Totaly free. |
>>
>>
>>
>>
>>
>>
>>
>> |   |
>>
>>
>>
>>
>>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Acl block detete not working

joe smith
Edward, Benjamin,
Thank you both for the clarification.  I see where the confusion came from: READ/WRITE are on the node but CREATE/DELETE applies only to the node's children.
Thanks again for the help/input!
 

    On Saturday, May 13, 2017 8:05 AM, Edward Ribeiro <[hidden email]> wrote:
 

 Excuse me, should have looked first on docs. Interesting behaviour...


Thanks Ben!

Em 13 de mai de 2017 5:30 AM, "Benjamin Reed" <[hidden email]> escreveu:

please check out
http://zookeeper.apache.org/doc/r3.5.3-beta/zookeeperProgram
mers.html#sc_ACLPermissions.
DELETE prevents deletion of children (like CREATE prevents the
creation of children). it does not prevent the deletion of the znode
itself.

ben

On Fri, May 12, 2017 at 10:53 PM, Edward Ribeiro
<[hidden email]> wrote:
> Hey, Joe and Martin,
>
> A quick explanation: the code Martin posted on the mailing list is the
> client side one. In those snippets the setACL is setting/changing the ACL
> so it needs to pass this in the call to the server: zk.setACL(path, acl,
> version). OTOH, the delete command doesn't need to pass the ACL
credentials
> because those are already stored in the corresponding znode (or its
parent)
> so it only needs to pass the path and version: zk.delete(path, version).
>
> What you really want to look at is here:
> https://github.com/apache/zookeeper/blob/branch-3.4/src/java
/main/org/apache/zookeeper/server/PrepRequestProcessor.java#L392

>
> See? The delete is checking the ACL of the parent znode, but not the znode
> that we are trying to delete.
>
> Well, I opened a PR https://github.com/apache/zookeeper/pull/252 to see if
> we can fix this.
>
> Best regards,
> Edward
>
>
>
>
>
>
> On Tue, May 2, 2017 at 6:24 PM, joe smith <[hidden email]>
> wrote:
>
>> Hi Martin,
>> Thanks for the reply.  I've create a bug report:
>> https://issues.apache.org/jira/browse/ZOOKEEPER-2772
>> Regards,-j
>>
>>
>>    On Tuesday, May 2, 2017 2:16 PM, Martin Gainty <[hidden email]>
>> wrote:
>>
>>
>>  #yiv6303704777 #yiv6303704777 -- P {margin-top:0;margin-bottom:0;
>> }#yiv6303704777
>> From: joe smith <[hidden email]>
>> Sent: Tuesday, May 2, 2017 8:40 AM
>> To: [hidden email]
>> Subject: Acl block detete not working Hi,
>> I'm using 3.4.10 and setting custom aol to block deletion of a znode.
>> However, I'm able to delete the node even after I've set acl from cdrwa
to

>> crwa.
>> Can anyone point out if I missed some step.
>> Thanks for the help
>>
>> Here is the trace:
>> [zk: localhost:2181(CONNECTED) 0] ls /
>> [zookeeper]
>>
>> [zk: localhost:2181(CONNECTED) 1] create /test "data"Created /test
>>
>> [zk: localhost:2181(CONNECTED) 2] ls /[zookeeper, test]
>>
>> [zk: localhost:2181(CONNECTED) 3] addauth myfqdn localhost
>> [zk: localhost:2181(CONNECTED) 4] setAcl /test myfqdn:localhost:cracZxid
=

>> 0x2
>> ctime = Tue May 02 08:28:42 EDT 2017
>> mZxid = 0x2
>> mtime = Tue May 02 08:28:42 EDT 2017
>> pZxid = 0x2
>> cversion = 0
>> dataVersion = 0
>> aclVersion = 1
>> ephemeralOwner = 0x0
>> dataLength = 4
>> numChildren = 0
>>
>> MG>in SetAclCommand you can see the acl being parsed and acl being set by
>> setAcl into zk object
>>    List<ACL> acl = AclParser.parse(aclStr);        int version;
if
>> (cl.hasOption("v")) {            version = Integer.parseInt(cl.getOptionV
alue("v"));
>>      } else {            version = -1;        }        try {
>> Stat stat = zk.setACL(path, acl, version);
>> MG>later on in DeleteCommand there is no check for aforementioned acl
>> parameter  public boolean exec() throws KeeperException,
>> InterruptedException {        String path = args[1];        int version;
>>    if (cl.hasOption("v")) {            version =
Integer.parseInt(cl.getOptionValue("v"));
>>      } else {            version = -1;        }                try {
>>  zk.delete(path, version);        } catch(KeeperException.BadVersi
onException
>> ex) {            err.println(ex.getMessage());        }        return
false;

>> MG>as seen here the testCase works properly saving the Zookeeper object
>>  LsCommand entity = new LsCommand();        entity.setZk(zk);
>>
>> MG>but setACL does not save the zookeeper object anywhere but instead
>> seems to discard zookeeper object with accompanying ACLsMG>can you report
>> this bug to Zookeeper?
>> https://issues.apache.org/jira/browse/ZOOKEEPER/?
>> selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel
>>
>> | ZooKeeper - ASF JIRA - issues.apache.orgissues.apache.orgApache
>> ZooKeeper is a service for coordinating processes of distributed
>> applications. Versions: Unreleased. Name Release date; Unreleased 3.2.3 :
>> Unreleased 3.3.7 |
>>
>> MG>Thanks Joe!
>>
>> [zk: localhost:2181(CONNECTED) 5] getAcl /test'myfqdn,'localhost
>> : cra
>>
>> [zk: localhost:2181(CONNECTED) 6] get /testdata
>> cZxid = 0x2
>> ctime = Tue May 02 08:28:42 EDT 2017
>> mZxid = 0x2
>> mtime = Tue May 02 08:28:42 EDT 2017
>> pZxid = 0x2
>> cversion = 0
>> dataVersion = 0
>> aclVersion = 1
>> ephemeralOwner = 0x0
>> dataLength = 4
>> numChildren = 0
>>
>> [zk: localhost:2181(CONNECTED) 7] set /test "testwrite"Authentication is
>> not valid : /test
>>
>> [zk: localhost:2181(CONNECTED) 8] delete /test
>> [zk: localhost:2181(CONNECTED) 9] ls /[zookeeper]
>>
>> [zk: localhost:2181(CONNECTED) 10]
>> The auth provider imple is here: http://s000.tinyupload.com/?
>> file_id=42827186839577179157
>> | TinyUpload.com - best file hosting solution, with no limits, totaly
>> frees000.tinyupload.comTinyUpload.com - solution for tiny file hosting.
>> No download limits, no upload limit. Totaly free. |
>>
>>
>>
>>
>>
>>
>>
>> |  |
>>
>>
>>
>>
>>


   
Loading...