[ https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13776531#comment-13776531 ]
Eugene Koontz commented on ZOOKEEPER-1759: ------------------------------------------ Hi Camille, thanks for bringing this to my attention. Yuliya, two questions: 1) I don't think the property name "zookeeper.readUser" is meaningful - in this code that you added to matches(): {code} String readAccessUser = System.getProperty("zookeeper.readUser"); if ( readAccessUser != null && aclExpr.equals(readAccessUser)) { return true; } {code} Above, there is no a check for whether the user wants to specifically read as opposed to any other action. For example, if a) and b) are true: a) I add an ACL: ((Perms.READ | Perms.WRITE), new Id("sasl", "anyone")) and b) the property "zookeeper.readUser" is set to "anyone" then this user can read *and* write to the node. So it seems like you could call the property "zookeeper.x-User" just as well: it's the ACL on the node, not the property, that determines what set of actions x that the user defined by this property can do. 2. I'm not sure what this change adds any new authorization restrictions - it's seems the same as simply making a node world-readable. What if a user is not SASL-authenticated? Won't the new code that you added in matches(): {code} String readAccessUser = System.getProperty("zookeeper.readUser"); if ( readAccessUser != null && aclExpr.equals(readAccessUser)) { return true; } {code} simply return true regardless of whether the client is SASL-authenticated or not, if a given node is set to ACL(Perms.READ, new Id("sasl", "anyone"), and zookeeper.readUser is set to "anyone"? I might be wrong - but either way, the question could be resolved with an additional unit test, which clarifies what the permissions are of a non-SASL-authenticated user when the user attempts to read a node which has: a) ACL(Perms.READ, new Id("sasl", "anyone") b) has no other permissions (e.g. not world-readable). -Eugene > Adding ability to allow READ operations for authenticated users, versus > keeping ACLs wide open for READ > -------------------------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-1759 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759 > Project: ZooKeeper > Issue Type: Improvement > Components: server > Affects Versions: 3.4.5 > Environment: Java, SASL authentication, security > Reporter: Yuliya Feldman > Fix For: 3.5.0 > > Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, > ZOOKEEPER-1759.patch > > > Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients > access to the data based on ACLS set on znodes there is no other choice but > to set READ ACLs to be "world", "anyone" with the way how > {code:java} > public boolean matches(String id,String aclExpr) > {code} > is currently implemented. It means that any unauthenticated user can read the > data when application needs to make sure that not only creator of a znode can > read the content. > Proposal is to introduce new property: "zookeeper.readUser" that if incoming > id matches to the value of that property it will be allowed to proceed in > "match" method. > So creator of a znode instead of > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, > Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE); > {code} > will need to do > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, > Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone")); > {code} > Assuming that value of "zookeeper.readUser" property was "anyone". > This way at least READ access on corresponding znode has to be authenticated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira