Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.8.1
-
None
-
None
Description
Hello,
I've found a problem with Zookeeper, allowing any client to delete a zNode regardless of the ACL set for the zNode.
I'm not sure if this issue is for the ordinary JIRA ticket, or the issue is a vulnerability problem.
Here are steps I used, to reproduce the problem:
1) Create zNode /users.
2) Create zNode /users/john.
[zk: localhost:2181(CONNECTED) 1] create /users
Created /users
[zk: localhost:2181(CONNECTED) 2] create /users/john
3) Set auth.scheme digest, with password 'john123' on the zNode /users/john.
3.1) Generate digest for the user john and password john123.
root@dev-id-client:/opt/zookeeper-3.8.2# java -classpath 'lib/*' org.apache.zookeeper.server.auth.DigestAuthenticationProvider john:john123
16:02:56.377 [main] INFO org.apache.zookeeper.server.auth.DigestAuthenticationProvider - ACL digest algorithm is: SHA1
john:john123->john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=
root@dev-id-client:/opt/zookeeper-3.8.2#
3.2) Assign ACL for the zNode /users/john.
[zk: localhost:2181(CONNECTED) 6] setAcl /users/john digest:john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=:cdrwa
[zk: localhost:2181(CONNECTED) 7]
4) Test the access to the zNode /users/john. Try to read the ACL.
[zk: localhost:2181(CONNECTED) 7] getAcl /users/john
Insufficient permission : /users/john
[zk: localhost:2181(CONNECTED) 8]
Here the response makes sense. Because of the zNode ACL set, access is denied.
5) Try to delete the zNode /users/john.
[zk: localhost:2181(CONNECTED) 8] delete /users/john
[zk: localhost:2181(CONNECTED) 9]
I'd expect here to see Insufficient permission message.
6) Verify that zNode was successfully deleted.
[zk: localhost:2181(CONNECTED) 9] stat /users/john
Node does not exist: /users/john
[zk: localhost:2181(CONNECTED) 10]
7) whoami command shows the following.
[zk: localhost:2181(CONNECTED) 10] whoami
Auth scheme: User
ip: 127.0.0.1
[zk: localhost:2181(CONNECTED) 11]
In my opinion, delete operation should not be possible if the zNode access was rejected, eg. getAcl fails with Insufficient permission : /users/john.