[ https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13779395#comment-13779395 ]
Flavio Junqueira commented on ZOOKEEPER-1759: --------------------------------------------- [~yufeldman], [~fournc], SaslAuthDesignatedClientTest is failing and I suspect it is because of this commit. I'm going to upload a log file. With respect to configuration, I was indeed referring to adding a property to QuorumPeerConfig and have it exposed through QuorumPeer like we do with others. My sense is that some significant fraction of this community prefers to configure through a config file. If you still want to have a system property, then just use both. ZOOKEEPER-1552 is just an example in which I have used both. > Adding ability to allow READ operations for authenticated users, versus > keeping ACLs wide open for READ > -------------------------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-1759 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759 > Project: ZooKeeper > Issue Type: Improvement > Components: server > Affects Versions: 3.4.5 > Environment: Java, SASL authentication, security > Reporter: Yuliya Feldman > Fix For: 3.5.0 > > Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, > ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch > > > Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients > access to the data based on ACLS set on znodes there is no other choice but > to set READ ACLs to be "world", "anyone" with the way how > {code:java} > public boolean matches(String id,String aclExpr) > {code} > is currently implemented. It means that any unauthenticated user can read the > data when application needs to make sure that not only creator of a znode can > read the content. > Proposal is to introduce new property: "zookeeper.readUser" that if incoming > id matches to the value of that property it will be allowed to proceed in > "match" method. > So creator of a znode instead of > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, > Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE); > {code} > will need to do > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, > Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone")); > {code} > Assuming that value of "zookeeper.readUser" property was "anyone". > This way at least READ access on corresponding znode has to be authenticated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira