[
https://issues.apache.org/jira/browse/DRILL-5671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16087819#comment-16087819
]
ASF GitHub Bot commented on DRILL-5671:
---------------------------------------
Github user paul-rogers commented on a diff in the pull request:
https://github.com/apache/drill/pull/875#discussion_r127528429
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/coord/zk/ZKSecureACLProvider.java
---
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.drill.exec.coord.zk;
+
+import com.google.common.collect.ImmutableList;
+import org.apache.curator.framework.api.ACLProvider;
+import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.data.ACL;
+
+import java.util.List;
+
+/**
+ * ZKSecureACLProvider restricts access to znodes created by Drill in a
secure installation.
+ *
+ * The cluster discovery znode i.e. the znode containing the list of
Drillbits is
+ * readable by anyone.
+ *
+ * For all other znodes, only the creator of the znode, i.e the Drillbit
user, has full access.
+ *
+ */
+
+public class ZKSecureACLProvider implements ACLProvider {
+
+ static final org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(ZKSecureACLProvider.class);
+
+ /**
+ * DEFAULT_ACL gives the creator of a znode full-access to it
+ */
+ static ImmutableList<ACL> DEFAULT_ACL = new
ImmutableList.Builder<ACL>()
+
.addAll(Ids.CREATOR_ALL_ACL.iterator())
+ .build();
+ /**
+ * DRILL_CLUSTER_ACL gives the creator full access and everyone else
only read access.
+ * Used on the Drillbit discovery znode (znode path
/<drill.exec.zk.root>/<drill.exec.cluster-id>)
+ * i.e. the node that contains the list of Drillbits in the cluster.
+ */
+ static ImmutableList<ACL> DRILL_CLUSTER_ACL = new
ImmutableList.Builder<ACL>()
+
.addAll(Ids.READ_ACL_UNSAFE.iterator())
+
.addAll(Ids.CREATOR_ALL_ACL.iterator())
+ .build();
+ final String clusterName;
+ final String drillZkRoot;
+ final String drillClusterPath;
+
+ public ZKSecureACLProvider(String clusterName, String drillZKRoot) {
+ this.clusterName = clusterName;
+ this.drillZkRoot = drillZKRoot;
+ this.drillClusterPath = "/" + this.drillZkRoot + "/" +
this.clusterName ;
+ }
+
+ public List<ACL> getDefaultAcl() {
+ return DEFAULT_ACL;
+ }
+
+ public List<ACL> getAclForPath(String path) {
--- End diff --
This approach encodes the meaning of paths in just the path name. Seems
fragile.
Alternatives:
* Register the secure (or insecure) paths so that the ZK cluster
coordinator (not this class) decides on security.
* Get ACL base on type: `getSecureACL()` or `getPublicACL()`, and let the
cluster coordinator define which is which.
* As a refinement of the first idea, provide some kind of config option to
externalize the set of paths and their security.
For example, in Drill-on-YARN, the app master creates ZK entries to ensure
that only one app master starts per cluster. We would not want to encode that
path information here.
> Set secure ACLs (Access Control List) for Drill ZK nodes in a secure cluster
> ----------------------------------------------------------------------------
>
> Key: DRILL-5671
> URL: https://issues.apache.org/jira/browse/DRILL-5671
> Project: Apache Drill
> Issue Type: New Feature
> Components: Server
> Reporter: Karthikeyan Manivannan
> Assignee: Karthikeyan Manivannan
>
> All Drill ZK nodes, currently, are assigned a default [world:all] ACL i.e.
> anyone gets to do CDRWA(create, delete, read, write, admin access). This
> means that even on a secure cluster anyone can perform all CRDWA actions on
> the znodes.
> This should be changed such that:
> - In a non-secure cluster, Drill will continue using the current default
> [world:all] ACL
> - In a secure cluster, all nodes should have an [authid: all] ACL i.e. the
> authenticated user that created the znode gets full access. The discovery
> znodes i.e. the znodes with the list of Drillbits will have an additional
> [world:read] ACL, i.e. the list of Drillbits will be readable by anyone.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
