[ https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13777700#comment-13777700 ]
Camille Fournier commented on ZOOKEEPER-1759: --------------------------------------------- Oh yes, I checked this in but I agree with that. Also do we need documentation somewhere about this new property? > Adding ability to allow READ operations for authenticated users, versus > keeping ACLs wide open for READ > -------------------------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-1759 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759 > Project: ZooKeeper > Issue Type: Improvement > Components: server > Affects Versions: 3.4.5 > Environment: Java, SASL authentication, security > Reporter: Yuliya Feldman > Fix For: 3.5.0 > > Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, > ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch > > > Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients > access to the data based on ACLS set on znodes there is no other choice but > to set READ ACLs to be "world", "anyone" with the way how > {code:java} > public boolean matches(String id,String aclExpr) > {code} > is currently implemented. It means that any unauthenticated user can read the > data when application needs to make sure that not only creator of a znode can > read the content. > Proposal is to introduce new property: "zookeeper.readUser" that if incoming > id matches to the value of that property it will be allowed to proceed in > "match" method. > So creator of a znode instead of > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, > Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE); > {code} > will need to do > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, > Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone")); > {code} > Assuming that value of "zookeeper.readUser" property was "anyone". > This way at least READ access on corresponding znode has to be authenticated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira