0

I need to setup user:password authentication for clients accessing data inside zookeeper server. I'm experimenting with zkCli and Curator Framework to figure out how this works and for some reason the code executed from Curator Framework bypasses all the security settings and behaves as it has full access rights, when it shouldn't have them.

I've been following the answers to those questions:

Using ACL with Curator

How to access a protected znode from ZooKeeper using zkCli?

zkCli:

[zk: localhost:7999(CONNECTED) 29] create /testpath contents digest:user:smGaoVKd/cQkjm7b88GyorAUz20=:cdrwa
Created /testpath
[zk: localhost:7999(CONNECTED) 4] getAcl /testpath
'digest,'user:smGaoVKd/cQkjm7b88GyorAUz20=
: cdrwa
[zk: localhost:7999(CONNECTED) 30] rmr /testpath  
Authentication is not valid : /testpath
[zk: localhost:7999(CONNECTED) 31]

The above result is as expected, we added ACL restrictions and now we can't access the created node. However when I'm trying to access this node with Curator Framework it deletes it, but it shouldn't.

        String zkConnectString = "hostname:7999";
        RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);

        CuratorFramework client = CuratorFrameworkFactory.builder()
                .connectString(zkConnectString)
                .retryPolicy(retryPolicy)
                .build();
        client.start();
        try {
            client.delete().forPath("/testpath");
        } catch (Exception e) {
            e.printStackTrace();
            System.exit(0);
        }

So the java Curator Framework code deletes the node successfully instead of giving any authentication errors. What am I doing wrong?

product versions:

Curator Framework: 2.11.1

Zookeeper server: 3.4.5

Zookeeper java client: 3.4.12

Mikhail Valiev
  • 113
  • 1
  • 11

1 Answers1

1

In the ZooKeeper CLI you are calling rmr which is Delete All. You're getting the ACL violation because the ACL applies to nodes underneath /testpath and you don't have perms to delete/get (it's likely the get that's complaining) nodes underneath /testpath. Notice, if in the CLI you instead try delete /testpath it works (I tested this myself) as the node /testpath adopts the ACLs of its parent. TBH I can never keep ZooKeeper ACLs straight in my head and I wrote Curator. So, in short, Curator is doing the correct thing (the same thing that CLI does).

Randgalt
  • 2,907
  • 1
  • 17
  • 31
  • What was really confusing is that - yes, while `delete /testpath` works, other commands like `get` or `set` - won't. But I think I get it now, the `DELETE` permission is the permission to delete the first level children of the node, where that permission is set – Mikhail Valiev Jul 10 '19 at 08:15