Author: camille
Date: Wed Sep 25 16:18:03 2013
New Revision: 1526219
URL: http://svn.apache.org/r1526219
Log:
ZOOKEEPER-1759. Adding ability to allow READ operations for authenticated users,
versus keeping ACLs wide open for READ. (Yuliya Feldman via camille)
Modified:
zookeeper/trunk/CHANGES.txt
zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java
zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
Modified: zookeeper/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/zookeeper/trunk/CHANGES.txt?rev=1526219&r1=1526218&r2=1526219&view=diff
==============================================================================
--- zookeeper/trunk/CHANGES.txt (original)
+++ zookeeper/trunk/CHANGES.txt Wed Sep 25 16:18:03 2013
@@ -571,6 +571,9 @@ IMPROVEMENTS:
ZOOKEEPER-1750 Race condition producing NPE in NIOServerCnxn.toString
(Rakesh R via michim)
+
+ ZOOKEEPER-1759. Adding ability to allow READ operations for authenticated users,
+ versus keeping ACLs wide open for READ. (Yuliya Feldman via camille)
Release 3.4.0 -
Modified: zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java?rev=1526219&r1=1526218&r2=1526219&view=diff
==============================================================================
--- zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java
(original)
+++ zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SASLAuthenticationProvider.java
Wed Sep 25 16:18:03 2013
@@ -39,9 +39,18 @@ public class SASLAuthenticationProvider
public boolean matches(String id,String aclExpr) {
if (System.getProperty("zookeeper.superUser") != null) {
- return (id.equals(System.getProperty("zookeeper.superUser")) || id.equals(aclExpr));
+ if (id.equals(System.getProperty("zookeeper.superUser")) || id.equals(aclExpr))
{
+ return true;
+ }
}
- return (id.equals("super") || id.equals(aclExpr));
+ if ((id.equals("super") || id.equals(aclExpr))) {
+ return true;
+ }
+ String readAccessUser = System.getProperty("zookeeper.readUser");
+ if ( readAccessUser != null && aclExpr.equals(readAccessUser)) {
+ return true;
+ }
+ return false;
}
public boolean isAuthenticated() {
Modified: zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
URL: http://svn.apache.org/viewvc/zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java?rev=1526219&r1=1526218&r2=1526219&view=diff
==============================================================================
--- zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
(original)
+++ zookeeper/trunk/src/java/test/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
Wed Sep 25 16:18:03 2013
@@ -21,12 +21,17 @@ package org.apache.zookeeper.test;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.client.ZooKeeperSaslClient;
+import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
import org.junit.Assert;
import org.junit.Test;
@@ -100,5 +105,54 @@ public class SaslAuthDesignatedClientTes
}
}
-
+ @Test
+ public void testReadAccessUser() throws Exception {
+ System.setProperty("zookeeper.readUser","anyone");
+ ZooKeeper zk = createClient();
+ List<ACL> aclList = new ArrayList<ACL>();
+ ACL acl = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, new Id("sasl",
"fakeuser"));
+ ACL acl1 = new ACL(Perms.READ, new Id("sasl", "anyone"));
+ aclList.add(acl);
+ aclList.add(acl1);
+ try {
+ zk.create("/abc", "testData".getBytes(), aclList, CreateMode.PERSISTENT);
+ } catch (KeeperException e) {
+ Assert.fail("Unable to create znode");
+ }
+ zk.close();
+ Thread.sleep(100);
+
+ // try to access it with different user (myuser)
+ zk = createClient();
+
+ try {
+ zk.setData("/abc", "testData1".getBytes(), -1);
+ Assert.fail("Should not be able to set data");
+ } catch (KeeperException.NoAuthException e) {
+ // success
+ }
+
+ try {
+ byte [] bytedata = zk.getData("/abc", null, null);
+ String data = new String(bytedata);
+ Assert.assertTrue("testData".equals(data));
+ } catch (KeeperException e) {
+ Assert.fail("failed to get data");
+ }
+
+ zk.close();
+ Thread.sleep(100);
+
+ // disable Client Sasl
+ System.setProperty(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY, "false");
+
+ zk = createClient();
+ try {
+ zk.getData("/abc", null, null);
+ Assert.fail("Should not be able to read data when not authenticated");
+ } catch (KeeperException.NoAuthException e) {
+ // success
+ }
+ zk.close();
+ }
}
|