Details
-
Sub-task
-
Status: Resolved
-
Major
-
Resolution: Implemented
-
None
-
None
-
None
-
None
Description
Currently, the AuthenticationProvider only gets passed the id of the client and the acl expression. If one wishes to perform auth checks based on the action or path being acted on, that needs to be included in the acl expression. This results in lots of potentially individual acl's being created which led us to find ZOOKEEPER-2141. It would be great if both the action and path were passed to the AuthenticationProvider.
I understand that this needs to be completely backwards compatible. One solution that comes to mind is to create an interface which extends AuthenticationProvider but adds a new matches which takes the additional parameters. Internally, ZK would use the new interface everywhere. To preserve compatibility, ProviderRegistry could check for classes implementing the original AuthenticationProvdier interface and wrap them to allow the new interface to be used everywhere internally. Any thoughts on this approach? Happy to provide a patch to demonstrate what I mean.