Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Zookeeper, mail # dev - Re: [jira] [Commented] (ZOOKEEPER-1759) Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ


Copy link to this message
-
Re: [jira] [Commented] (ZOOKEEPER-1759) Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ
Ted Dunning 2013-09-19, 00:51
[git patch]?

Or [git format-patch]?

https://www.kernel.org/pub/software/scm/git/docs/git-format-patch.html

On Wed, Sep 18, 2013 at 5:40 PM, Yuliya Feldman (JIRA) <[EMAIL PROTECTED]>wrote:

>
>     [
> https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771457#comment-13771457]
>
> Yuliya Feldman commented on ZOOKEEPER-1759:
> -------------------------------------------
>
> Resubmitted svn patch instead of git one. Hopefully this will work.
>
> > Adding ability to allow READ operations for authenticated users,  versus
> keeping ACLs wide open for READ
> >
> --------------------------------------------------------------------------------------------------------
> >
> >                 Key: ZOOKEEPER-1759
> >                 URL:
> https://issues.apache.org/jira/browse/ZOOKEEPER-1759
> >             Project: ZooKeeper
> >          Issue Type: Improvement
> >          Components: server
> >    Affects Versions: 3.4.5
> >         Environment: Java, SASL authentication, security
> >            Reporter: Yuliya Feldman
> >         Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch,
> ZOOKEEPER-1759.patch
> >
> >
> > Today when using SASLAuthenticationProvider to authenticate Zookeeper
> Clients access to the data based on ACLS set on znodes there is no other
> choice but to set READ ACLs to be "world", "anyone" with the way how
> > {code:java}
> > public boolean matches(String id,String aclExpr)
> > {code}
> > is currently implemented. It means that any unauthenticated user can
> read the data when application needs to make sure that not only creator of
> a znode can read the content.
> > Proposal is to introduce new property: "zookeeper.readUser" that if
> incoming id matches to the value of that property it will be allowed to
> proceed in "match" method.
> > So creator of a znode instead of
> > {code:java}
> > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE |
> Perms.DELETE, Ids.AUTH_IDS);
> > ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> > {code}
> > will need to do
> > {code:java}
> > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE |
> Perms.DELETE, Ids.AUTH_IDS);
> > ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> > {code}
> > Assuming that value of "zookeeper.readUser" property was "anyone".
> > This way at least READ access on corresponding znode has to be
> authenticated.
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA
> administrators
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>