[jira] [Commented] (ZOOKEEPER-2709) Clarify documentation around "auth" ACL scheme

Wed, 08 Mar 2017 10:30:02 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901725#comment-15901725
 ] 

ASF GitHub Bot commented on ZOOKEEPER-2709:
-------------------------------------------

Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/182#discussion_r104987220
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml 
---
    @@ -899,9 +899,16 @@
             single id, <emphasis>anyone</emphasis>, that represents
             anyone.</para></listitem>
     
    -        <listitem><para><emphasis role="bold">auth</emphasis> doesn't
    -        use any id, represents any authenticated
    -        user.</para></listitem>
    +        <listitem><para><emphasis role="bold">auth</emphasis> is a special
    +        scheme which ignores any provided ID and instead uses the current 
user,
    +        credentials, and scheme. Any ID (whether, 'user' like with SASL
    +        authentication or 'user:password' like with DIGEST authentication) 
provided is ignored
    +        by the ZooKeeper server when persisting the ACL. However, the ID 
must be
    +        provided in the ACL because the ACL must match the form 
'scheme:id:perms'.
    +        This scheme is provided as a convenience as it is a common 
use-case for
    +        a client to create a znode and then restrict access to that znode 
to only that client.
    --- End diff --
    
    Avoiding the word "user" was intentional as a nod to some of the other auth 
schemes (e.g. the IP address one), but maybe that just creates more confusion 
than it's worth.


> Clarify documentation around "auth" ACL scheme
> ----------------------------------------------
>
>                 Key: ZOOKEEPER-2709
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2709
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: documentation
>            Reporter: Josh Elser
>            Priority: Minor
>
> We recently found up in HBASE-17717 that we were incorrectly setting an ACL 
> on our "sensitive" znodes after the output of {{getACL}} on these nodes 
> didn't match what was expected.
> In referencing the documentation about how the {{auth}} ACL scheme was 
> supposed to work, it was unclear if it was a ZooKeeper bug or an HBase bug. 
> After reading some ZooKeeper code, we found that it was an HBase bug, but it 
> would be nice to clarify the docs around this ACL scheme.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to