Return-Path: X-Original-To: apmail-zookeeper-dev-archive@www.apache.org Delivered-To: apmail-zookeeper-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BC2D510AFE for ; Wed, 25 Sep 2013 16:10:16 +0000 (UTC) Received: (qmail 3736 invoked by uid 500); 25 Sep 2013 16:10:11 -0000 Delivered-To: apmail-zookeeper-dev-archive@zookeeper.apache.org Received: (qmail 3562 invoked by uid 500); 25 Sep 2013 16:10:09 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 3465 invoked by uid 99); 25 Sep 2013 16:10:08 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Sep 2013 16:10:08 +0000 Date: Wed, 25 Sep 2013 16:10:07 +0000 (UTC) From: "Eugene Koontz (JIRA)" To: dev@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ZOOKEEPER-1759) Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ZOOKEEPER-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13777686#comment-13777686 ] Eugene Koontz commented on ZOOKEEPER-1759: ------------------------------------------ Looks good to me, Yuliya. +1 (nonbinding). > Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ > -------------------------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-1759 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1759 > Project: ZooKeeper > Issue Type: Improvement > Components: server > Affects Versions: 3.4.5 > Environment: Java, SASL authentication, security > Reporter: Yuliya Feldman > Fix For: 3.5.0 > > Attachments: ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch, ZOOKEEPER-1759.patch > > > Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients access to the data based on ACLS set on znodes there is no other choice but to set READ ACLs to be "world", "anyone" with the way how > {code:java} > public boolean matches(String id,String aclExpr) > {code} > is currently implemented. It means that any unauthenticated user can read the data when application needs to make sure that not only creator of a znode can read the content. > Proposal is to introduce new property: "zookeeper.readUser" that if incoming id matches to the value of that property it will be allowed to proceed in "match" method. > So creator of a znode instead of > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE); > {code} > will need to do > {code:java} > ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS); > ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone")); > {code} > Assuming that value of "zookeeper.readUser" property was "anyone". > This way at least READ access on corresponding znode has to be authenticated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira