zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1759) Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ
Date Wed, 25 Sep 2013 07:55:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13777241#comment-13777241
] 

Hadoop QA commented on ZOOKEEPER-1759:
--------------------------------------

+1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12604976/ZOOKEEPER-1759.patch
  against trunk revision 1524398.

    +1 @author.  The patch does not contain any @author tags.

    +1 tests included.  The patch appears to include 3 new or modified tests.

    +1 javadoc.  The javadoc tool did not generate any warning messages.

    +1 javac.  The applied patch does not increase the total number of javac compiler warnings.

    +1 findbugs.  The patch does not introduce any new Findbugs (version 1.3.9) warnings.

    +1 release audit.  The applied patch does not increase the total number of release audit
warnings.

    +1 core tests.  The patch passed core unit tests.

    +1 contrib tests.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1599//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1599//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/1599//console

This message is automatically generated.
                
> Adding ability to allow READ operations for authenticated users,  versus keeping ACLs
wide open for READ
> --------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-1759
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.4.5
>         Environment: Java, SASL authentication, security
>            Reporter: Yuliya Feldman
>             Fix For: 3.5.0
>
>         Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch,
ZOOKEEPER-1759.patch
>
>
> Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients access
to the data based on ACLS set on znodes there is no other choice but to set READ ACLs to be
"world", "anyone" with the way how 
> {code:java}
> public boolean matches(String id,String aclExpr)
> {code}
> is currently implemented. It means that any unauthenticated user can read the data when
application needs to make sure that not only creator of a znode can read the content.
> Proposal is to introduce new property: "zookeeper.readUser" that if incoming id matches
to the value of that property it will be allowed to proceed in "match" method. 
> So creator of a znode instead of 
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
> {code}
> will need to do
> {code:java}
> ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS);
> ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
> {code}
> Assuming that value of "zookeeper.readUser" property was "anyone".
> This way at least READ access on corresponding znode has to be authenticated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message