zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Koontz (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1759) Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ
Date Tue, 24 Sep 2013 17:36:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13776531#comment-13776531
] 

Eugene Koontz commented on ZOOKEEPER-1759:
------------------------------------------

Hi Camille, thanks for bringing this to my attention. Yuliya, two questions:

1) I don't think the property name "zookeeper.readUser" is meaningful - in this code that
you added to matches():

{code}
        String readAccessUser = System.getProperty("zookeeper.readUser");
        if ( readAccessUser != null && aclExpr.equals(readAccessUser)) {
          return true;
        }
{code}

Above, there is no a check for whether the user wants to specifically read as opposed to any
other action. 

For example, if a) and b) are true:

a) I add an ACL: ((Perms.READ | Perms.WRITE), new Id("sasl", "anyone"))

and 

b) the property "zookeeper.readUser" is set to "anyone"

then this user can read *and* write to the node. So it seems like you could call the property
"zookeeper.x-User" just as well: it's the ACL on the node, not the property, that determines
what set of actions x that the user defined by this property can do.

2. I'm not sure what this change adds any new authorization restrictions - it's seems the
same as simply making a node world-readable. What if a user is not SASL-authenticated? Won't
the new code that you added in matches():

{code}
        String readAccessUser = System.getProperty("zookeeper.readUser");
        if ( readAccessUser != null && aclExpr.equals(readAccessUser)) {
          return true;
        }
{code}

simply return true regardless of whether the client is SASL-authenticated or not, if a given
node is set to ACL(Perms.READ, new Id("sasl", "anyone"), and zookeeper.readUser is set to
"anyone"?

I might be wrong - but either way, the question could be resolved with an additional unit
test, which clarifies what the permissions are of a non-SASL-authenticated user when the user
attempts to read a node which has:

a) ACL(Perms.READ, new Id("sasl", "anyone")
b) has no other permissions (e.g. not world-readable).


-Eugene
                
> Adding ability to allow READ operations for authenticated users,  versus keeping ACLs
wide open for READ
> --------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1759
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.4.5
>         Environment: Java, SASL authentication, security
>            Reporter: Yuliya Feldman
>             Fix For: 3.5.0
>
>         Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch
>
>
> Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients access
to the data based on ACLS set on znodes there is no other choice but to set READ ACLs to be
"world", "anyone" with the way how 
> {code:java}
> public boolean matches(String id,String aclExpr)
> {code}
> is currently implemented. It means that any unauthenticated user can read the data when
application needs to make sure that not only creator of a znode can read the content.
> Proposal is to introduce new property: "zookeeper.readUser" that if incoming id matches
to the value of that property it will be allowed to proceed in "match" method. 
> So creator of a znode instead of 
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> {code}
> will need to do
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> {code}
> Assuming that value of "zookeeper.readUser" property was "anyone".
> This way at least READ access on corresponding znode has to be authenticated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message