[
https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13778385#comment-13778385
]
Yuliya Feldman commented on ZOOKEEPER-1759:
-------------------------------------------
Sorry, Could not reply earlier - was out whole day.
@Eugene - Since this one is committed should I submit another JIRA to change
name of the property, or submit another patch on this JIRA?
@Flavio I am not exactly following. In the JIRA you are referring to you were
proposing to put property into QuorumConfig object, is it? I did not find
anything the patch(es) that was related to configuration
> Adding ability to allow READ operations for authenticated users, versus
> keeping ACLs wide open for READ
> --------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-1759
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759
> Project: ZooKeeper
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.5
> Environment: Java, SASL authentication, security
> Reporter: Yuliya Feldman
> Fix For: 3.5.0
>
> Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch,
> ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch
>
>
> Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients
> access to the data based on ACLS set on znodes there is no other choice but
> to set READ ACLs to be "world", "anyone" with the way how
> {code:java}
> public boolean matches(String id,String aclExpr)
> {code}
> is currently implemented. It means that any unauthenticated user can read the
> data when application needs to make sure that not only creator of a znode can
> read the content.
> Proposal is to introduce new property: "zookeeper.readUser" that if incoming
> id matches to the value of that property it will be allowed to proceed in
> "match" method.
> So creator of a znode instead of
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE,
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> {code}
> will need to do
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE,
> Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> {code}
> Assuming that value of "zookeeper.readUser" property was "anyone".
> This way at least READ access on corresponding znode has to be authenticated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
