[git patch]? Or [git format-patch]?
https://www.kernel.org/pub/software/scm/git/docs/git-format-patch.html On Wed, Sep 18, 2013 at 5:40 PM, Yuliya Feldman (JIRA) <j...@apache.org>wrote: > > [ > https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771457#comment-13771457] > > Yuliya Feldman commented on ZOOKEEPER-1759: > ------------------------------------------- > > Resubmitted svn patch instead of git one. Hopefully this will work. > > > Adding ability to allow READ operations for authenticated users, versus > keeping ACLs wide open for READ > > > -------------------------------------------------------------------------------------------------------- > > > > Key: ZOOKEEPER-1759 > > URL: > https://issues.apache.org/jira/browse/ZOOKEEPER-1759 > > Project: ZooKeeper > > Issue Type: Improvement > > Components: server > > Affects Versions: 3.4.5 > > Environment: Java, SASL authentication, security > > Reporter: Yuliya Feldman > > Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, > ZOOKEEPER-1759.patch > > > > > > Today when using SASLAuthenticationProvider to authenticate Zookeeper > Clients access to the data based on ACLS set on znodes there is no other > choice but to set READ ACLs to be "world", "anyone" with the way how > > {code:java} > > public boolean matches(String id,String aclExpr) > > {code} > > is currently implemented. It means that any unauthenticated user can > read the data when application needs to make sure that not only creator of > a znode can read the content. > > Proposal is to introduce new property: "zookeeper.readUser" that if > incoming id matches to the value of that property it will be allowed to > proceed in "match" method. > > So creator of a znode instead of > > {code:java} > > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | > Perms.DELETE, Ids.AUTH_IDS); > > ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE); > > {code} > > will need to do > > {code:java} > > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | > Perms.DELETE, Ids.AUTH_IDS); > > ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone")); > > {code} > > Assuming that value of "zookeeper.readUser" property was "anyone". > > This way at least READ access on corresponding znode has to be > authenticated. > > -- > This message is automatically generated by JIRA. > If you think it was sent incorrectly, please contact your JIRA > administrators > For more information on JIRA, see: http://www.atlassian.com/software/jira >
