Details
Description
As hinted here, even if a parent znode path has restricted READ access it's possible to issue an exists() operation on any child znode of that given path.
For example, the snippet below doesn't throw NoAuthExceptio, even tough it removes ACL rights to "/":
zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); ArrayList<ACL> acls = new ArrayList<>(); acls.add(new ACL(0, Ids.ANYONE_ID_UNSAFE)); zk.setACL("/", acls, -1); Stat r = zk.exists("/a", false);
Also, in the above example, what if the removed READ access for "/a"? Should we allow a call to exists("/a") to succeed even if it returns the znode metadata info?
Attachments
Issue Links
- breaks
-
HBASE-28444 Bump org.apache.zookeeper:zookeeper from 3.8.3 to 3.8.4
- Resolved
- links to