[
https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13776531#comment-13776531
]
Eugene Koontz commented on ZOOKEEPER-1759:
------------------------------------------
Hi Camille, thanks for bringing this to my attention. Yuliya, two questions:
1) I don't think the property name "zookeeper.readUser" is meaningful - in this
code that you added to matches():
{code}
String readAccessUser = System.getProperty("zookeeper.readUser");
if ( readAccessUser != null && aclExpr.equals(readAccessUser)) {
return true;
}
{code}
Above, there is no a check for whether the user wants to specifically read as
opposed to any other action.
For example, if a) and b) are true:
a) I add an ACL: ((Perms.READ | Perms.WRITE), new Id("sasl", "anyone"))
and
b) the property "zookeeper.readUser" is set to "anyone"
then this user can read *and* write to the node. So it seems like you could
call the property "zookeeper.x-User" just as well: it's the ACL on the node,
not the property, that determines what set of actions x that the user defined
by this property can do.
2. I'm not sure what this change adds any new authorization restrictions - it's
seems the same as simply making a node world-readable. What if a user is not
SASL-authenticated? Won't the new code that you added in matches():
{code}
String readAccessUser = System.getProperty("zookeeper.readUser");
if ( readAccessUser != null && aclExpr.equals(readAccessUser)) {
return true;
}
{code}
simply return true regardless of whether the client is SASL-authenticated or
not, if a given node is set to ACL(Perms.READ, new Id("sasl", "anyone"), and
zookeeper.readUser is set to "anyone"?
I might be wrong - but either way, the question could be resolved with an
additional unit test, which clarifies what the permissions are of a
non-SASL-authenticated user when the user attempts to read a node which has:
a) ACL(Perms.READ, new Id("sasl", "anyone")
b) has no other permissions (e.g. not world-readable).
-Eugene
> Adding ability to allow READ operations for authenticated users, versus
> keeping ACLs wide open for READ
> --------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-1759
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.5
> Environment: Java, SASL authentication, security
> Reporter: Yuliya Feldman
> Fix For: 3.5.0
>
> Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch,
> ZOOKEEPER-1759.patch
>
>
> Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients
> access to the data based on ACLS set on znodes there is no other choice but
> to set READ ACLs to be "world", "anyone" with the way how
> {code:java}
> public boolean matches(String id,String aclExpr)
> {code}
> is currently implemented. It means that any unauthenticated user can read the
> data when application needs to make sure that not only creator of a znode can
> read the content.
> Proposal is to introduce new property: "zookeeper.readUser" that if incoming
> id matches to the value of that property it will be allowed to proceed in
> "match" method.
> So creator of a znode instead of
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE,
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> {code}
> will need to do
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE,
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> {code}
> Assuming that value of "zookeeper.readUser" property was "anyone".
> This way at least READ access on corresponding znode has to be authenticated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
