Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 84298200C92 for ; Mon, 12 Jun 2017 11:40:50 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 82A1B160BD9; Mon, 12 Jun 2017 09:40:50 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C8735160BD6 for ; Mon, 12 Jun 2017 11:40:49 +0200 (CEST) Received: (qmail 44909 invoked by uid 500); 12 Jun 2017 09:40:48 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 44892 invoked by uid 99); 12 Jun 2017 09:40:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Jun 2017 09:40:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id A1371C02CA for ; Mon, 12 Jun 2017 09:40:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.998 X-Spam-Level: * X-Spam-Status: No, score=1.998 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id nOhk49BybgqT for ; Mon, 12 Jun 2017 09:40:41 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3F6235FBE5 for ; Mon, 12 Jun 2017 09:40:40 +0000 (UTC) Received: from 172.30.72.57 (EHLO DGGEMA406-HUB.china.huawei.com) ([172.30.72.57]) by dggrg02-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id APF06112; Mon, 12 Jun 2017 17:40:30 +0800 (CST) Received: from DGGEMA501-MBX.china.huawei.com ([169.254.1.83]) by DGGEMA406-HUB.china.huawei.com ([10.3.20.47]) with mapi id 14.03.0301.000; Mon, 12 Jun 2017 17:40:21 +0800 From: bhupendra jain To: "dev@zookeeper.apache.org" Subject: Regarding Super user check inconsistency Thread-Topic: Regarding Super user check inconsistency Thread-Index: AdLjX9dks4bbHq3FRtC5f2FJYNYRsQ== Date: Mon, 12 Jun 2017 09:40:20 +0000 Message-ID: <2EC33BF9CF5EAF4399852F9B6F9E948E728C110B@DGGEMA501-MBX.china.huawei.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.18.152.114] Content-Type: multipart/alternative; boundary="_000_2EC33BF9CF5EAF4399852F9B6F9E948E728C110BDGGEMA501MBXchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090201.593E618F.0027,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=169.254.1.83, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 9e5f2aa1ba4f35bb8b3e22bcd2499172 archived-at: Mon, 12 Jun 2017 09:40:50 -0000 --_000_2EC33BF9CF5EAF4399852F9B6F9E948E728C110BDGGEMA501MBXchi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable HI I have some doubts on the contract of super user in Zookeeper .. as I see= the c ode , Different auth provider has different mechanism to identify th= e super user. When ACL check happens, - Based on scheme "Super" it considers the user as super user. for (Id authId : ids) { if (authId.getScheme().equals("super")) { return; } } - If scheme is not super, then first it checks the permission and = then call the AuthProvider to validate the ACL for (ACL a : acl) { Id id =3D a.getId(); if ((a.getPerms() & perm) !=3D 0) { if (id.getScheme().equals("world") && id.getId().equals("anyone")) { return; } AuthenticationProvider ap =3D ProviderRegistry.getProvider(= id .getScheme()); if (ap !=3D null) { for (Id authId : ids) { if (authId.getScheme().equals(id.getScheme()) && ap.matches(authId.getId(), id.getId())) = { return; } } } } } In case scheme is SASL and its super user but ACL is not explicitly configu= red for that super user, the ACL check will not pass. But for Digest it wil= l pass even though ACL is not configured. I think , there should be separate super user check based on all the auth p= roviders. Current contract of each auth provider is as below : Digest : Based on superDigest configured, Sets the Scheme as "Super" SASL: checks the ACL based on zookeeper.superUser parameter and if user= name is "super" X509: Based on zookeeper.X509AuthenticationProvider.superUser configure= d , sets the scheme as "Super" IP: No super user concept Custom: Custom logic. One way is that custom auth provider sets the sch= eme as "super" So I think, - Either in AuthProvider interface we should have one more method = to let AuthProvider check whether user is super user boolean isSuperUser(Id authID); - OR each auth provider should set the scheme as "Super" for super= user and handle SASL as a special case. ( So in checkACL we need to have = specific validation for sasl) I think if we have a clear contract, then same can be added at all places f= or admin check such as this JIRA https://issues.apache.org/jira/browse/ZOO= KEEPER-2014 Regards Bhupendra ________________________________ This e-mail and its attachments contain confidential information from HUAWE= I, which is intended only for the person or entity whose address is listed = above. Any use of the information contained herein in any way (including, b= ut not limited to, total or partial disclosure, reproduction, or disseminat= ion) by persons other than the intended recipient(s) is prohibited. If you = receive this e-mail in error, please notify the sender by phone or email im= mediately and delete it! --_000_2EC33BF9CF5EAF4399852F9B6F9E948E728C110BDGGEMA501MBXchi_--