zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2709) Clarify documentation around "auth" ACL scheme
Date Tue, 07 Mar 2017 20:29:38 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900099#comment-15900099
] 

ASF GitHub Bot commented on ZOOKEEPER-2709:
-------------------------------------------

Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/182#discussion_r104770508
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml ---
    @@ -899,9 +899,16 @@
             single id, <emphasis>anyone</emphasis>, that represents
             anyone.</para></listitem>
     
    -        <listitem><para><emphasis role="bold">auth</emphasis>
doesn't
    -        use any id, represents any authenticated
    -        user.</para></listitem>
    +        <listitem><para><emphasis role="bold">auth</emphasis>
is a special
    +        scheme which ignores any provided ID and instead uses the current user,
    +        credentials, and scheme. Any ID (whether, 'user' like with SASL
    +        authentication or 'user:password' like with DIGEST authentication) provided is
ignored
    +        by the ZooKeeper server when persisting the ACL. However, the ID must be
    +        provided in the ACL because the ACL must match the form 'scheme:id:perms'.
    +        This scheme is provided as a convenience as it is a common use-case for
    +        a client to create a znode and then restrict access to that znode to only that
client.
    --- End diff --
    
    perhaps "only that user" would be clearer?


> Clarify documentation around "auth" ACL scheme
> ----------------------------------------------
>
>                 Key: ZOOKEEPER-2709
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2709
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: documentation
>            Reporter: Josh Elser
>            Priority: Minor
>
> We recently found up in HBASE-17717 that we were incorrectly setting an ACL on our "sensitive"
znodes after the output of {{getACL}} on these nodes didn't match what was expected.
> In referencing the documentation about how the {{auth}} ACL scheme was supposed to work,
it was unclear if it was a ZooKeeper bug or an HBase bug. After reading some ZooKeeper code,
we found that it was an HBase bug, but it would be nice to clarify the docs around this ACL
scheme.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message