This is a pretty noticeable behavior change, so we should think this through. This addresses Issue #49.
In the current released code, if you create a path /foo/bar/baz/host:22, and /foo/bar/baz does not exist, we tell Kazoo to create the path recursively. It does this with whatever default ACL settings we have created for our Kazoo client.
In production and staging we have seen this mean that /services/environment/app_name/host:22 is created, with the credentials for app_name, but also /services/environment and even /services were created with those same ACLs because of this recursive path creation.
In reality, I think we want to make sure that the final path container that holds host:22 has the right ACLs ... but that the other paths are open to be used by other application credentials.
timnd
commented
10 years ago
This is a pretty noticeable behavior change, so we should think this through. This addresses Issue #49.
In the current released code, if you create a path /foo/bar/baz/host:22, and /foo/bar/baz does not exist, we tell Kazoo to create the path recursively. It does this with whatever default ACL settings we have created for our Kazoo client.
In production and staging we have seen this mean that
/services/environment/app_name/host:22is created, with the credentials forapp_name, but also/services/environmentand even/serviceswere created with those same ACLs because of this recursive path creation.In reality, I think we want to make sure that the final path container that holds
host:22has the right ACLs ... but that the other paths are open to be used by other application credentials.