From commits-return-5395-apmail-zookeeper-commits-archive=zookeeper.apache.org@zookeeper.apache.org Thu Mar 9 01:48:56 2017 Return-Path: X-Original-To: apmail-zookeeper-commits-archive@www.apache.org Delivered-To: apmail-zookeeper-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 72CF319961 for ; Thu, 9 Mar 2017 01:48:56 +0000 (UTC) Received: (qmail 83167 invoked by uid 500); 9 Mar 2017 01:48:56 -0000 Delivered-To: apmail-zookeeper-commits-archive@zookeeper.apache.org Received: (qmail 83126 invoked by uid 500); 9 Mar 2017 01:48:56 -0000 Mailing-List: contact commits-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list commits@zookeeper.apache.org Received: (qmail 83115 invoked by uid 99); 9 Mar 2017 01:48:56 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Mar 2017 01:48:56 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 215CDF4B54; Thu, 9 Mar 2017 01:48:56 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: hanm@apache.org To: commits@zookeeper.apache.org Message-Id: <61bf1f4c724f46a39c697fdf20d693b4@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: zookeeper git commit: ZOOKEEPER-2709: Clarify documentation around the "auth" ACL scheme Date: Thu, 9 Mar 2017 01:48:56 +0000 (UTC) Repository: zookeeper Updated Branches: refs/heads/branch-3.5 b2d66fa3d -> 4a3ef8b65 ZOOKEEPER-2709: Clarify documentation around the "auth" ACL scheme Not sure if I should include the modified files from the result of `ant docs`. Happy to do so if expected :) Author: Josh Elser Reviewers: Abraham Fine , Michael Han Closes #182 from joshelser/ZOOKEEPER-2709 and squashes the following commits: 4d7b712 [Josh Elser] ZOOKEEPER-2709 Correct usage of "id" and "expression" 057cb18 [Josh Elser] ZOOKEEPER-2709 Clarify documentation around the "auth" ACL scheme (cherry picked from commit cf4f119516ca3d232fe077477c7a91b2e5825de2) Signed-off-by: Michael Han Project: http://git-wip-us.apache.org/repos/asf/zookeeper/repo Commit: http://git-wip-us.apache.org/repos/asf/zookeeper/commit/4a3ef8b6 Tree: http://git-wip-us.apache.org/repos/asf/zookeeper/tree/4a3ef8b6 Diff: http://git-wip-us.apache.org/repos/asf/zookeeper/diff/4a3ef8b6 Branch: refs/heads/branch-3.5 Commit: 4a3ef8b65e4b93667db4860e856a54a7372b403e Parents: b2d66fa Author: Josh Elser Authored: Wed Mar 8 17:48:41 2017 -0800 Committer: Michael Han Committed: Wed Mar 8 17:48:51 2017 -0800 ---------------------------------------------------------------------- .../content/xdocs/zookeeperProgrammers.xml | 26 ++++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zookeeper/blob/4a3ef8b6/src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml ---------------------------------------------------------------------- diff --git a/src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml b/src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml index b4477bf..8710362 100644 --- a/src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml +++ b/src/docs/src/documentation/content/xdocs/zookeeperProgrammers.xml @@ -820,11 +820,14 @@ recursive. ZooKeeper supports pluggable authentication schemes. Ids are - specified using the form scheme:id, - where scheme is a the authentication scheme - that the id corresponds to. For - example, ip:172.16.16.1 is an id for a - host with the address 172.16.16.1. + specified using the form scheme:expression, + where scheme is the authentication scheme + that the id corresponds to. The set of valid expressions are defined + by the scheme. For example, ip:172.16.16.1 is + an id for a host with the address 172.16.16.1 + using the ip scheme, whereas digest:bob:password + is an id for the user with the name of bob using + the digest scheme. When a client connects to ZooKeeper and authenticates itself, ZooKeeper associates all the ids that correspond to a @@ -888,9 +891,16 @@ single id, anyone, that represents anyone. - auth doesn't - use any id, represents any authenticated - user. + auth is a special + scheme which ignores any provided expression and instead uses the current user, + credentials, and scheme. Any expression (whether user like with SASL + authentication or user:password like with DIGEST authentication) provided is ignored + by the ZooKeeper server when persisting the ACL. However, the expression must still be + provided in the ACL because the ACL must match the form scheme:expression:perms. + This scheme is provided as a convenience as it is a common use-case for + a user to create a znode and then restrict access to that znode to only that user. + If there is no authenticated user, setting an ACL with the auth scheme will fail. + digest uses a username:password string to generate