[SLIDER-931]  Security permissions on set up ZK path are too lax
diff --git a/slider-core/src/main/java/org/apache/slider/client/SliderClient.java b/slider-core/src/main/java/org/apache/slider/client/SliderClient.java
index 1008ae5..77dacd8 100644
--- a/slider-core/src/main/java/org/apache/slider/client/SliderClient.java
+++ b/slider-core/src/main/java/org/apache/slider/client/SliderClient.java
@@ -158,6 +158,8 @@
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.InterruptedIOException;
 import java.io.PrintStream;
 import java.io.StringWriter;
 import java.io.Writer;
@@ -464,16 +466,15 @@
         client.deleteRecursive(zkPath);
         return true;
       }
-    } catch (InterruptedException ignored) {
-      e = ignored;
-    } catch (KeeperException ignored) {
-      e = ignored;
-    } catch (BadConfigException ignored) {
-      e = ignored;
+    } catch (InterruptedException ex) {
+      e = ex;
+    } catch (KeeperException ex) {
+      e = ex;
+    } catch (BadConfigException ex) {
+      e = ex;
     }
     if (e != null) {
-      log.debug("Unable to recursively delete zk node {}", zkPath);
-      log.debug("Reason: ", e);
+      log.warn("Unable to recursively delete zk node {}", zkPath, e);
     }
 
     return false;
@@ -484,6 +485,31 @@
    */
   @VisibleForTesting
   public String createZookeeperNode(String clusterName, Boolean nameOnly) throws YarnException, IOException {
+    try {
+      return createZookeeperNodeInner(clusterName, nameOnly);
+    } catch (KeeperException.NodeExistsException e) {
+      return null;
+    } catch (KeeperException e) {
+      return null;
+    } catch (InterruptedException e) {
+      throw new InterruptedIOException(e.toString());
+    }
+  }
+
+  /**
+   * Create the zookeeper node associated with the calling user and the cluster
+   * -throwing exceptions on any failure
+   * @param clusterName cluster name
+   * @param nameOnly create the path, not the node
+   * @return the path, with the node created
+   * @throws YarnException
+   * @throws IOException
+   * @throws KeeperException
+   * @throws InterruptedException
+   */
+  @VisibleForTesting
+  public String createZookeeperNodeInner(String clusterName, Boolean nameOnly)
+      throws YarnException, IOException, KeeperException, InterruptedException {
     String user = getUsername();
     String zkPath = ZKIntegration.mkClusterPath(user, clusterName);
     if (nameOnly) {
@@ -491,22 +517,22 @@
     }
     ZKIntegration client = getZkClient(clusterName, user);
     if (client != null) {
-      try {
-        List<ACL> zkperms = new ArrayList<ACL>();
-        zkperms.addAll(ZooDefs.Ids.CREATOR_ALL_ACL);
-        zkperms.addAll(ZooDefs.Ids.READ_ACL_UNSAFE);
-        client.createPath(zkPath, "",
-            zkperms,
-            CreateMode.PERSISTENT);
-        return zkPath;
-      } catch (InterruptedException e) {
-        log.warn("Unable to create default zk node {}", zkPath, e);
-      } catch (KeeperException e) {
-        log.warn("Unable to create default zk node {}", zkPath, e);
+      // set up the permissions. This must be done differently on a secure cluster from an insecure
+      // one
+      List<ACL> zkperms = new ArrayList<ACL>();
+      if (UserGroupInformation.isSecurityEnabled()) {
+        zkperms.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS));
+        zkperms.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+      } else {
+        zkperms.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE));
       }
+      client.createPath(zkPath, "",
+          zkperms,
+          CreateMode.PERSISTENT);
+      return zkPath;
+    } else {
+      return null;
     }
-
-    return null;
   }
 
   /**
diff --git a/slider-core/src/test/app_packages/test_command_log/appConfig.json b/slider-core/src/test/app_packages/test_command_log/appConfig.json
index b9383ec..f53225e 100644
--- a/slider-core/src/test/app_packages/test_command_log/appConfig.json
+++ b/slider-core/src/test/app_packages/test_command_log/appConfig.json
@@ -9,7 +9,8 @@
         "site.global.app_root": "${AGENT_WORK_ROOT}/app/install/command-logger",
         "site.cl-site.logfile.location": "${AGENT_LOG_ROOT}/operations.log",
         "site.cl-site.datetime.format": "%A, %d. %B %Y %I:%M%p",
-        "site.cl-site.pattern.for.test.to.verify": "verify this pattern"
+        "site.cl-site.pattern.for.test.to.verify": "verify this pattern",
+        "create.default.zookeeper.node": true
     },
     "components": {
         "COMMAND_LOGGER": {
diff --git a/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy b/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy
index 431c49f..efc550a 100644
--- a/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy
+++ b/slider-core/src/test/groovy/org/apache/slider/common/tools/TestZKIntegration.groovy
@@ -107,7 +107,7 @@
   public void testCreateAndDeleteDefaultZKPath() throws Throwable {
     MockSliderClient client = new MockSliderClient()
 
-    String path = client.createZookeeperNode("cl1", true)
+    String path = client.createZookeeperNodeInner("cl1", true)
     zki = client.lastZKIntegration
 
     String zkPath = ZKIntegration.mkClusterPath(USER, "cl1")
@@ -117,7 +117,7 @@
     zki = createZKIntegrationInstance(getZKBinding(), "cl1", true, false, 5000);
     assert !zki.exists(zkPath)
 
-    path = client.createZookeeperNode("cl1", false)
+    path = client.createZookeeperNodeInner("cl1", false)
     zki = client.lastZKIntegration
     assert zki 
     assert zkPath == "/services/slider/users/" + USER + "/cl1", "zkPath must be as expected"