zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli - Diennea <enrico.olive...@diennea.com>
Subject Re: Undestanding the auth: scheme
Date Fri, 09 Sep 2016 15:10:18 GMT
Thank you Arshad

Il giorno ven, 09/09/2016 alle 20.04 +0530, Arshad Mohammad ha scritto:

1) "every one can read" and "only authenticated users can write"
No it is not possible
a) Whe you set auth ACL, acls are set for the authorized users in current
session. Not for the future authorized users
auth scheme is replaced with the authetications shcemes the authrized users
b) For {world, anyone} ACLs  permissions are not checked. {world, anyone}
can not be limited to only read permission



It's clear. Thanks



2) Give access to user in pricipal user/HOST1@REALM
This you can do, not not the way you are doing right now
a) In All zookeeper server configure below peroperties to ignore the host
and realm part of the principal. These properties should be cofigred in
zoo.cfg
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
a) Your permission should be ACL(ZooDefs.Perms.ALL, new Id("sasl", "user"))
instead of ACL(ZooDefs.Perms.ALL, new Id("sasl", "user/**@REALM"))



This solution is working for me.

Thank you very much



3) SASL Kerberos super user
zookeeper.superUser property works with sasl kerberos authentication scheme
as well.




- Arshad

On Fri, Sep 9, 2016 at 7:07 PM, Enrico Olivelli - Diennea <
enrico.olivelli@diennea.com<mailto:enrico.olivelli@diennea.com>> wrote:



Hi,
I would like to set an ACL that lets every client to read the content of a
node and list its children, and forces every write (setData, create
children...) to be done by any authenticated user.
Something like "every one can read" and "only authenticated users can
write"
I'm using SASL/Kerberos and Zookeeper 3.4.8, with the Java Client API

List<ACL> myACL = Arrays.<ACL>asList(
                new ACL(ZooDefs.Perms.ALL, AUTH_IDS),
new ACL(ZooDefs.Perms.READ, ANYONE_ID_UNSAFE)
            );

I'm trying to use the 'auth' scheme on setACL, but it is substituted by
the client ID

Another useful setup for me, with Kerberos, it would be to give access to
the nodes only to clients which as the same "user" in the pricipal
my principals look like
user/HOST1@REALM<mailto:user/HOST1@REALM>
user/HOST2@REALM<mailto:user/HOST2@REALM>
user/HOST3@REALM<mailto:user/HOST3@REALM>

My ACL would be ZooDefs.Perms.ALL to user/****@REALM<mailto:user/**
**@REALM>

is it possible ?


Another secondary question
I see that for digest auth you can set up a "super user"
https://community.hortonworks.com/articles/29900/zookeeper-
using-superdigest-to-gain-full-access-to.html

I cannot get zookeeper.superUser system property to work with SASL/Kerberos

is it possible for SASL/Kerberos ?


Thank you



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com


________________________________

Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed
email marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally
privileged. If you are not the intended recipient please notify the sender
immediately and destroy this email. Any unauthorized, direct or indirect,
disclosure, copying, storage, distribution or other use is strictly
forbidden.



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com


________________________________

Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally privileged. If you are not
the intended recipient please notify the sender immediately and destroy this email. Any unauthorized,
direct or indirect, disclosure, copying, storage, distribution or other use is strictly forbidden.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message