[jira] [Commented] (ZOOKEEPER-1759) Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ

Wed, 25 Sep 2013 09:22:28 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13777700#comment-13777700
 ] 

Camille Fournier commented on ZOOKEEPER-1759:
---------------------------------------------

Oh yes, I checked this in but I agree with that. Also do we need documentation 
somewhere about this new property?
                
> Adding ability to allow READ operations for authenticated users,  versus 
> keeping ACLs wide open for READ
> --------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1759
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.4.5
>         Environment: Java, SASL authentication, security
>            Reporter: Yuliya Feldman
>             Fix For: 3.5.0
>
>         Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, 
> ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch
>
>
> Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients 
> access to the data based on ACLS set on znodes there is no other choice but 
> to set READ ACLs to be "world", "anyone" with the way how 
> {code:java}
> public boolean matches(String id,String aclExpr)
> {code}
> is currently implemented. It means that any unauthenticated user can read the 
> data when application needs to make sure that not only creator of a znode can 
> read the content.
> Proposal is to introduce new property: "zookeeper.readUser" that if incoming 
> id matches to the value of that property it will be allowed to proceed in 
> "match" method. 
> So creator of a znode instead of 
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, 
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> {code}
> will need to do
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, 
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> {code}
> Assuming that value of "zookeeper.readUser" property was "anyone".
> This way at least READ access on corresponding znode has to be authenticated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to