> On March 22, 2016, 7:23 p.m., Bill Farner wrote: > > docs/security.md, line 289 > > <https://reviews.apache.org/r/45042/diff/4/?file=1310997#file1310997line289> > > > > I'd like to propose several changes to this section, which i've made in > > the rewritten block below. > > > > - Use consistent naming and proper nouns for projects (Thermos, > > ZooKeeper) > > - Link to latest version of ZooKeeper docs > > - Immediately link to relevant ZooKeeper ACL section > > - Describe how to enable the feature before describing the format of > > the ACL file > > - Use more accurate requirements level terminology, e.g. > > must/may/should (context reading http://tools.ietf.org/html/rfc2119) > > > > ``` > > # Announcer Authentication > > Nodes created by the Thermos executor may include ZooKeeper > > > > [ACLs](https://zookeeper.apache.org/doc/current/zookeeperProgrammers.html#sc_ZooKeeperAccessControl), > > which will specify the priviliges of clients to perform different > > actions on these nodes. This > > feature is enabled by specifying an ACL configuration file to the > > executor with the > > `--announcer-zookeeper-auth-config` command line argument. > > > > When this feature is _not_ enabled, nodes created by the executor will > > have 'world/all' permission > > (`ZOO_OPEN_ACL_UNSAFE`). In most production environments, operators > > should specify ACLs and > > limit access. > > > > ## ACL configuration format > > The configuration file must be formatted as JSON with the following > > schema: > > > > ```json > > [ > > { > > "scheme": "<scheme>", > > "credential": "<credential>", > > "permissions": { > > "read": <bool>, > > "write": <bool>, > > "create": <bool>, > > "delete": <bool>, > > "admin": <bool>, > > "all": <bool> > > } > > } > > ] > > ``` > > > > The > > [scheme](http://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_BuiltinACLSchemes) > > defines the encoding of the `credential` field. Note that these fields > > are passed directly to > > ZoooKeeper. If a scheme is used that requires credential hashing, the > > value of the `credential` > > field must be hashed (i.e. the executor will not hash this value). > > > > All properties of the `permissions` object will default to `False` if > > not provided. > > ```
Formatting was broken above due to nested preformatted text, but it should be relatively close to being copy/paste-able. - Bill ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/45042/#review124935 ----------------------------------------------------------- On March 22, 2016, 11:51 a.m., Kunal Thakar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/45042/ > ----------------------------------------------------------- > > (Updated March 22, 2016, 11:51 a.m.) > > > Review request for Aurora, Bill Farner and Zameer Manji. > > > Repository: aurora > > > Description > ------- > > Add ACL support for announcer > https://issues.apache.org/jira/browse/AURORA-1643 > > Adding support for service discovery ZK authentication. ZK authentication > secrets should be stored in a file as json (as follows): > ```json > { > "scheme": "<scheme>", > "credential": "<credential>", > "permissions": { > "read": <bool>, > "write": <bool>, > "create": <bool>, > "delete": <bool>, > "admin": <bool>, > "all": <bool> > } > } > ``` > > > Diffs > ----- > > RELEASE-NOTES.md 6e9364e34db6dbb270468db3ff333b956c6bf9f3 > docs/security.md 32bea426fbceec83187e851a5db11e82df55e962 > src/main/python/apache/aurora/executor/bin/thermos_executor_main.py > 6634506108c346f8c23b2da7cc8d20d09d07d590 > src/main/python/apache/aurora/executor/common/announcer.py > 79a9cfb6ac3a8444f09fb3658e6e859e06941ba4 > > src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py > e9f7851292aef3a36da5da9b0fc333a7e7750cf3 > src/test/python/apache/aurora/executor/common/test_announcer.py > 142b58d5e577c9f4b8e2ae8473cffdea94eba21f > > Diff: https://reviews.apache.org/r/45042/diff/ > > > Testing > ------- > > > Thanks, > > Kunal Thakar > >