drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-5671) Set secure ACLs (Access Control List) for Drill ZK nodes in a secure cluster
Date Fri, 14 Jul 2017 19:09:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16087822#comment-16087822
] 

ASF GitHub Bot commented on DRILL-5671:
---------------------------------------

Github user paul-rogers commented on a diff in the pull request:

    https://github.com/apache/drill/pull/875#discussion_r127525830
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/coord/zk/ZKACLProviderFactory.java
---
    @@ -0,0 +1,44 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *    http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.drill.exec.coord.zk;
    +
    +import org.apache.curator.framework.api.ACLProvider;
    +import org.apache.curator.framework.imps.DefaultACLProvider;
    +import org.apache.drill.common.config.DrillConfig;
    +import org.apache.drill.exec.ExecConstants;
    +
    +
    +public class ZKACLProviderFactory {
    +
    +    static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(ZKACLProviderFactory.class);
    +
    +    public static ACLProvider getACLProvider(DrillConfig config, String clusterId, String
zkRoot) {
    +        if (config.getBoolean(ExecConstants.ZK_SECURE_ACL)) {
    +            if (config.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED)){
    +                logger.trace("ZKACLProviderFactory: Using secure ZK ACL");
    --- End diff --
    
    The logger inserts the class name for you; no need to repeat it here.


> Set secure ACLs (Access Control List) for Drill ZK nodes in a secure cluster
> ----------------------------------------------------------------------------
>
>                 Key: DRILL-5671
>                 URL: https://issues.apache.org/jira/browse/DRILL-5671
>             Project: Apache Drill
>          Issue Type: New Feature
>          Components:  Server
>            Reporter: Karthikeyan Manivannan
>            Assignee: Karthikeyan Manivannan
>
> All Drill ZK nodes, currently, are assigned a default [world:all] ACL i.e. anyone gets
to do CDRWA(create, delete, read, write, admin access). This means that even on a secure cluster
anyone can perform all CRDWA actions on the znodes. 
> This should be changed such that:
> - In a non-secure cluster, Drill will continue using the current default [world:all]
ACL
> - In a secure cluster, all nodes should have an [authid: all] ACL i.e. the authenticated
user that created the znode gets full access. The discovery znodes i.e. the znodes with the
list of Drillbits will have an additional [world:read] ACL, i.e. the list of Drillbits will
be readable by anyone. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message