[
https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771348#comment-13771348
]
Hadoop QA commented on ZOOKEEPER-1759:
--------------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12603932/ZOOKEEPER-1759.patch
against trunk revision 1524398.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified tests.
-1 patch. The patch command could not apply the patch.
Console output:
https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1589//console
This message is automatically generated.
> Adding ability to allow READ operations for authenticated users, versus
> keeping ACLs wide open for READ
> --------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-1759
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.5
> Environment: Java, SASL authentication, security
> Reporter: Yuliya Feldman
> Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch
>
>
> Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients
> access to the data based on ACLS set on znodes there is no other choice but
> to set READ ACLs to be "world", "anyone" with the way how
> {code:java}
> public boolean matches(String id,String aclExpr)
> {code}
> is currently implemented. It means that any unauthenticated user can read the
> data when application needs to make sure that not only creator of a znode can
> read the content.
> Proposal is to introduce new property: "zookeeper.readUser" that if incoming
> id matches to the value of that property it will be allowed to proceed in
> "match" method.
> So creator of a znode instead of
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE,
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> {code}
> will need to do
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE,
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> {code}
> Assuming that value of "zookeeper.readUser" property was "anyone".
> This way at least READ access on corresponding znode has to be authenticated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
