ZOOKEEPER-904. super digest is not actually acting as a full superuser (Camille Fournier via mahadev)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/zookeeper/trunk@1027763 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -137,6 +137,9 @@ BUGFIXES:
   ZOOKEEPER-800. zoo_add_auth returns ZOK if zookeeper handle is in
   ZOO_CLOSED_STATE (michi mutsuzaki via mahadev konar)
 
+  ZOOKEEPER-904. super digest is not actually acting as a full superuser
+  (Camille Fournier via mahadev)
+
 IMPROVEMENTS:
   ZOOKEEPER-724. Improve junit test integration - log harness information 
   (phunt via mahadev)

src/java/main/org/apache/zookeeper/server/PrepRequestProcessor.java

@@ -168,6 +168,11 @@ public class PrepRequestProcessor extends Thread implements RequestProcessor {
         if (acl == null || acl.size() == 0) {
             return;
         }
+        for (Id authId : ids) {
+            if (authId.getScheme().equals("super")) {
+                return;
+            }
+        }
         for (ACL a : acl) {
             Id id = a.getId();
             if ((a.getPerms() & perm) != 0) {
@@ -178,10 +183,7 @@ public class PrepRequestProcessor extends Thread implements RequestProcessor {
                 AuthenticationProvider ap = ProviderRegistry.getProvider(id
                         .getScheme());
                 if (ap != null) {
-                    for (Id authId : ids) {
-                        if (authId.getScheme().equals("super")) {
-                            return;
-                        }
+                    for (Id authId : ids) {                        
                         if (authId.getScheme().equals(id.getScheme())
                                 && ap.matches(authId.getId(), id.getId())) {
                             return;

src/java/test/org/apache/zookeeper/test/AuthTest.java

@@ -122,4 +122,28 @@ public class AuthTest extends ClientBase {
             zk.close();
         }
     }
+    
+    @Test
+    public void testSuperACL() throws Exception {
+    	 ZooKeeper zk = createClient();
+         try {
+             zk.addAuthInfo("digest", "pat:pass".getBytes());
+             zk.create("/path1", null, Ids.CREATOR_ALL_ACL,
+                     CreateMode.PERSISTENT);
+             zk.close();
+             // verify super can do anything and ignores ACLs
+             zk = createClient();
+             zk.addAuthInfo("digest", "super:test".getBytes());
+             zk.getData("/path1", false, null);
+             
+             zk.setACL("/path1", Ids.READ_ACL_UNSAFE, -1);
+             zk.create("/path1/foo", null, Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT);
+           
+             
+             zk.setACL("/path1", Ids.OPEN_ACL_UNSAFE, -1);
+        	 
+         } finally {
+             zk.close();
+         }
+    }
 }