zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arshad Mohammad <arshad.mohamma...@gmail.com>
Subject Re: Undestanding the auth: scheme
Date Fri, 09 Sep 2016 14:34:14 GMT
1) "every one can read" and "only authenticated users can write"
No it is not possible
a) Whe you set auth ACL, acls are set for the authorized users in current
session. Not for the future authorized users
auth scheme is replaced with the authetications shcemes the authrized users
b) For {world, anyone} ACLs  permissions are not checked. {world, anyone}
can not be limited to only read permission

2) Give access to user in pricipal user/HOST1@REALM
This you can do, not not the way you are doing right now
a) In All zookeeper server configure below peroperties to ignore the host
and realm part of the principal. These properties should be cofigred in
zoo.cfg
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
a) Your permission should be ACL(ZooDefs.Perms.ALL, new Id("sasl", "user"))
instead of ACL(ZooDefs.Perms.ALL, new Id("sasl", "user/**@REALM"))

3) SASL Kerberos super user
zookeeper.superUser property works with sasl kerberos authentication scheme
as well.

- Arshad

On Fri, Sep 9, 2016 at 7:07 PM, Enrico Olivelli - Diennea <
enrico.olivelli@diennea.com> wrote:

> Hi,
> I would like to set an ACL that lets every client to read the content of a
> node and list its children, and forces every write (setData, create
> children...) to be done by any authenticated user.
> Something like "every one can read" and "only authenticated users can
> write"
> I'm using SASL/Kerberos and Zookeeper 3.4.8, with the Java Client API
>
> List<ACL> myACL = Arrays.<ACL>asList(
>                 new ACL(ZooDefs.Perms.ALL, AUTH_IDS),
> new ACL(ZooDefs.Perms.READ, ANYONE_ID_UNSAFE)
>             );
>
> I'm trying to use the 'auth' scheme on setACL, but it is substituted by
> the client ID
>
> Another useful setup for me, with Kerberos, it would be to give access to
> the nodes only to clients which as the same "user" in the pricipal
> my principals look like
> user/HOST1@REALM<mailto:user/HOST1@REALM>
> user/HOST2@REALM<mailto:user/HOST2@REALM>
> user/HOST3@REALM<mailto:user/HOST3@REALM>
>
> My ACL would be ZooDefs.Perms.ALL to user/****@REALM<mailto:user/**
> **@REALM>
>
> is it possible ?
>
>
> Another secondary question
> I see that for digest auth you can set up a "super user"
> https://community.hortonworks.com/articles/29900/zookeeper-
> using-superdigest-to-gain-full-access-to.html
>
> I cannot get zookeeper.superUser system property to work with SASL/Kerberos
>
> is it possible for SASL/Kerberos ?
>
>
> Thank you
>
>
>
> --
> Enrico Olivelli
> Software Development Manager @Diennea
> Tel.: (+39) 0546 066100 - Int. 925
> Viale G.Marconi 30/14 - 48018 Faenza (RA)
>
> MagNews - E-mail Marketing Solutions
> http://www.magnews.it
> Diennea - Digital Marketing Solutions
> http://www.diennea.com
>
>
> ________________________________
>
> Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed
> email marketing! http://www.magnews.it/newsletter/
>
> The information in this email is confidential and may be legally
> privileged. If you are not the intended recipient please notify the sender
> immediately and destroy this email. Any unauthorized, direct or indirect,
> disclosure, copying, storage, distribution or other use is strictly
> forbidden.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message