Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Zookeeper >> mail # user >> sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd


+
Rakesh R 2012-05-22, 10:49
+
Patrick Hunt 2012-05-25, 00:18
+
Rakesh R 2012-05-25, 14:52
+
Patrick Hunt 2012-05-30, 16:31
Copy link to this message
-
RE: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd


Thank you Pat :)

________________________________________
From: Patrick Hunt [[EMAIL PROTECTED]]
Sent: Wednesday, May 30, 2012 10:01 PM
To: [EMAIL PROTECTED]
Subject: Re: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd

You can use setacl on root if you'd like to change permissions to be
more restrictive.

Patrick

On Fri, May 25, 2012 at 7:52 AM, Rakesh R <[EMAIL PROTECTED]> wrote:
> Hi Pat,
>
> Thanks for looking. Actually I'm using 3.4.3 release, and I have seen the similar checks for parsing the ACLs in this version also.
>
> I have created /app1 and /app2 using the following commands:
>
> create /app1 "" sasl:hbase/[EMAIL PROTECTED]:cdrwa
> create /app2 "" sasl:hbase/[EMAIL PROTECTED]:cdrwa
>
> I just saw the following acl checks in the PrepRequestProcessor.java for delete command:
>
>                checkACL(zks, parentRecord.acl, ZooDefs.Perms.DELETE, request.authInfo);
>
> Here delete command is using 'parentRecord.acl' for Acl checks. In my case app1 and app2 is created directly under the '/'.
> If my understanding is correct, '/' has ZooDefs.Ids.ANYONE_ID_UNSAFE permission and when any user comes for deleting the children of '/', its just validating against 'world:anyone' of root and allowing to delete. I'm worrying about the authentication of the znodes under root node ? . I 'd like to know your opinion on this.
>
> Thanks,
> Rakesh
> ________________________________________
> From: Patrick Hunt [[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2012 5:48 AM
> To: [EMAIL PROTECTED]
> Subject: Re: sasl authentication is given to the user during create nodes, node deletion is happening with 'delete' cmd
>
> When you created the znodes did you specify acls or just take the
> defaults? (zkcli defaults are permissive), here's the create znode
> code:
>
>        List<ACL> acl = ZooDefs.Ids.OPEN_ACL_UNSAFE;
>        if (args.length > 3) {
>            acl = AclParser.parse(args[3]);
>        }
>
> Patrick
>
> On Tue, May 22, 2012 at 3:49 AM, Rakesh R <[EMAIL PROTECTED]> wrote:
>> Hi All,
>>
>> I'm trying to use the ZooKeeper sasl. Actually I'm a bit confused when using the delete command.
>>
>> Say, I have created two znodes:
>>
>>  'app1' directly under '/' with hbase/[EMAIL PROTECTED]<mailto:hbase/[EMAIL PROTECTED]>
>>  'app2' directly under '/' with hbase/[EMAIL PROTECTED]<mailto:hbase/[EMAIL PROTECTED]>
>>
>> Now, I have logged in as zkcli/[EMAIL PROTECTED]<mailto:zkcli/[EMAIL PROTECTED]> and this is not given as super user. When I tried to delete the znodes '/app1' and '/app2', it is allowing and not authenticating.
>>
>> Here, I'm thinking that 'zkcli' will not have the access to delete these two nodes.
>>
>> Is this a problem or anything I'm missing. Can you please help me to resolve this and how the security can be applied here.
>>
>>
>> Thanks,
>> Rakesh