zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli - Diennea <enrico.olive...@diennea.com>
Subject Undestanding the auth: scheme
Date Fri, 09 Sep 2016 13:37:24 GMT
Hi,
I would like to set an ACL that lets every client to read the content of a node and list its
children, and forces every write (setData, create children...) to be done by any authenticated
user.
Something like "every one can read" and "only authenticated users can write"
I'm using SASL/Kerberos and Zookeeper 3.4.8, with the Java Client API

List<ACL> myACL = Arrays.<ACL>asList(
                new ACL(ZooDefs.Perms.ALL, AUTH_IDS),
new ACL(ZooDefs.Perms.READ, ANYONE_ID_UNSAFE)
            );

I'm trying to use the 'auth' scheme on setACL, but it is substituted by the client ID

Another useful setup for me, with Kerberos, it would be to give access to the nodes only to
clients which as the same "user" in the pricipal
my principals look like
user/HOST1@REALM<mailto:user/HOST1@REALM>
user/HOST2@REALM<mailto:user/HOST2@REALM>
user/HOST3@REALM<mailto:user/HOST3@REALM>

My ACL would be ZooDefs.Perms.ALL to user/****@REALM<mailto:user/****@REALM>

is it possible ?


Another secondary question
I see that for digest auth you can set up a "super user"
https://community.hortonworks.com/articles/29900/zookeeper-using-superdigest-to-gain-full-access-to.html

I cannot get zookeeper.superUser system property to work with SASL/Kerberos

is it possible for SASL/Kerberos ?


Thank you



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com


________________________________

Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally privileged. If you are not
the intended recipient please notify the sender immediately and destroy this email. Any unauthorized,
direct or indirect, disclosure, copying, storage, distribution or other use is strictly forbidden.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message