zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhupendra jain <bhupendra.j...@huawei.com>
Subject Regarding Super user check inconsistency
Date Mon, 12 Jun 2017 09:40:20 GMT
HI
I have some doubts on  the contract of super user in Zookeeper ..  as I see the c ode , Different
auth provider has different mechanism to identify the super user.

When ACL check happens,

-          Based on scheme "Super" it considers the user as super user.

for (Id authId : ids) {

            if (authId.getScheme().equals("super")) {

                return;

            }

        }

-          If scheme is not super, then first it checks the permission and then call the AuthProvider
to validate the ACL

for (ACL a : acl) {

            Id id = a.getId();

            if ((a.getPerms() & perm) != 0) {

                if (id.getScheme().equals("world")

                        && id.getId().equals("anyone")) {

                    return;

                }

                AuthenticationProvider ap = ProviderRegistry.getProvider(id

                        .getScheme());

                if (ap != null) {

                    for (Id authId : ids) {

                        if (authId.getScheme().equals(id.getScheme())

                                && ap.matches(authId.getId(), id.getId())) {

                            return;

                        }

                    }

                }

            }

        }



In case scheme is SASL and its super user but ACL is not explicitly configured for that super
user, the ACL check will not pass. But for Digest it will pass even though ACL is not configured.

I think , there should be separate super user check based on all the auth providers.  Current
contract of each auth provider is as below :

Digest : Based on superDigest configured, Sets the Scheme as "Super"
SASL:     checks the ACL based on zookeeper.superUser parameter and if user name is "super"
X509:     Based on zookeeper.X509AuthenticationProvider.superUser configured , sets the scheme
as "Super"
IP:   No super user concept
Custom:   Custom logic.   One way is that custom auth provider sets the scheme as "super"

So I think,

-          Either in AuthProvider interface we should have one more method to let AuthProvider
check whether user is super user

boolean isSuperUser(Id authID);

-          OR each auth provider should set the scheme as "Super" for super user and handle
SASL as a special case.  ( So in checkACL we need to have specific validation for sasl)


I think if we have a clear contract, then same can be added at all places for admin check
such as this JIRA  https://issues.apache.org/jira/browse/ZOOKEEPER-2014

Regards
Bhupendra


________________________________
This e-mail and its attachments contain confidential information from HUAWEI, which is intended
only for the person or entity whose address is listed above. Any use of the information contained
herein in any way (including, but not limited to, total or partial disclosure, reproduction,
or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive
this e-mail in error, please notify the sender by phone or email immediately and delete it!



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message