In function kazoo.mkdirRecursive , it is trying to create the node and checking if the error is ErrNodeExists which is treated as no error.
The problem with this approach is that the intermediate nodes might exist but have restrictive ACL to not allow Create operation. In this case, we directly get unauthenticated error from zookeeper. For example, in my case:
/stream/kafka/dc is the Chroot. And this path already exists.
However, Create is not allowed for /, so trying to do create /stream directly returns unauthenticated error without any further evaluation. This fails the mkdirRecursive
Wouldn't it be better to explicitly check if the node exists and then try to create it if it doesn't? With this, if the node is there, there won't be any problem with authentication. If the node does not exist, and create is not allowed, then it will fail, like it should.
In function kazoo.mkdirRecursive , it is trying to create the node and checking if the error is ErrNodeExists which is treated as no error.
The problem with this approach is that the intermediate nodes might exist but have restrictive ACL to not allow Create operation. In this case, we directly get unauthenticated error from zookeeper. For example, in my case:
/stream/kafka/dc is the Chroot. And this path already exists. However, Create is not allowed for /, so trying to do create /stream directly returns unauthenticated error without any further evaluation. This fails the mkdirRecursive
Wouldn't it be better to explicitly check if the node exists and then try to create it if it doesn't? With this, if the node is there, there won't be any problem with authentication. If the node does not exist, and create is not allowed, then it will fail, like it should.