ZooKeeper删除权限实施了解

Question

[zk: 9] addauth digest user:defaultPassword
[zk: 32] create /test
Created /test
[zk:  33] create /test/can-delete null digest:user:xMNYqfrT373RREgAzmYepA2oLxY=:cdrw
Created /test/can-delete
[zk: 34] getAcl /test/can-delete
'digest,'user:xMNYqfrT373RREgAzmYepA2oLxY=:cdrw
[zk: 35] create /test/cant-delete null digest:user:xMNYqfrT373RREgAzmYepA2oMHb=:cdrw
Created /test/cant-delete
[zk: 37] delete /test/can-delete
[zk: 38] delete /test/cant-delete

( localhost:2181(CONNECTED) removed from each line above, to improve readability)

• The setup has 1 server and 1 client.
• To begin with I auth myself in command 9.
• I create a test node in 32
• Inside that I create a can-delete node with the correct ACL.
• Inside the same test folder, I create another cant-delete node with incorrect ACL permissions (If you see the last 3 characters before "=" of the digested password, I've changed them in command 35 compared to the on in command 34).
• I try to delete both nodes(can-delete and cant-delete). I'm successful in doing so.

I'm not able to understand why and how is it allowing me to delete cant-delete because the ACL does not match with authenticated ID:PASSWORD. I was expecting this to throw at me a NoAuthException .

Please help, Thank you.

Answer 1

The ZooKeeper documentation says that:

ZooKeeper supports the following permissions:

CREATE: you can create a child node

READ: you can get data from a node and list its children.

WRITE: you can set data for a node

DELETE: you can delete a child node

ADMIN: you can set permissions

Note that the DELETE permission applies to child nodes, not to the node itself.

This means that to prevent deletion of a node, you need to set an ACL (without the 'd' DELETE permission) on the parent of the node you are trying to protect (ie you need to set an ACL on the /test node in your example)